COVID19-Philippine Vaccination Certificate Information Data Leak
In today’s article, I want to share with you what I discovered today related to Philippine Vaccination Certificate.
Discovery:
One of my tasks in my day-to-day job is to identify and correlate possible risks and threats to my company. And this is also part of my research for threat hunting, and while setting up my environment I run my scraper to search for strings and keywords from the surface and deep web to identify related information to my company but it gets my attention to a possible breach/leak incident related to our government.
Analysis:
Data segregation and grepping running on my command line and exporting results a ton of text file. The Data Leak related to Philippine Vaccination Certificate comes from a Philippine Government Application Programming Interface or an API. The API is connecting to an overseas website via API as well which means both Interface purpose is for Vaccination Certificate Validation and this is related to an Overseas traveling requirements.
The Data Included in the Leak is:
· Name
· Contact Number
· Certificate ID
· Gender
· Age
· Nationality
· Complete Address
· Vaccination Information
o Batch No.
o Vaccine Brand
o Manufacturer
o Date of Vaccination
o Full Address of Facility Location (Philippines)
o Effective Date
o Effective Expiration
o Number of Doses
o Total Doses
o Name of Doctor or Verifier
o Facility Location
o Full Address of Facility Location (Country Visiting)
o District
o City
o Region
o Country
o Postal Code
Very alarming, and the government didn’t identify this leak posted on the underground Group Chat last September 2021 almost 3000+ Vaccination data is included in this leak!
Impact
Anyone with this information can use this to create their Vaccination Certification since, based on the structure of the data leak, as I said, it came from an unsecured API.
Sample Structure:
Sample Data Dump:
Since this is a confirmed data breach/leak, this API’s purpose is to validate overseas requirements. What are the things we need to consider about the issue, and what are the possible violation of this incident.
Most of the information is related to COVID19 or health requirements. It is required that both countries or region that connects to this API should consider compliant with The Health Insurance Portability and Accountability Act of 1996 (HIPAA) standard. HIPAA fines the organization or the regulatory can pose a fine of $50,000 (2.7M PHP) per violation
Countries that are connecting to the Philippines should comply with the Legal and Regulatory requirements of the National Privacy Commission (Data Privacy Act of 2012). And the Philippines will connect to other countries and should be aware of the local and regulatory requirements, such as the following information:
- Malaysia imposed RM 300,000 (3M PHP) and 2 Years of Imprisonment
- Singapore penalty for IT Vendor failure to comply with PDPC S$750,000 (29M PHP)
- Thailand’s penalty for PDPC violation THB 5M (7M PHP)
The information can also be use for Identity Theft and Document Forging
Conclusion:
System Integration is one of the fastest ways to provide a quicker transaction using an Application Programming Interface (API). But before we integrate into any system, we should consider performing proper due diligence on both parties to identify the adequate compliance requirements, specifically for legal and regulatory.
Conduct Penetration Testing with your API to ensure the security of your API. Define the information-sharing agreement with proper data security and boundaries using threat modeling illustrated in a data-flow diagram. Each data should be categorized via severity or criticality level to apply appropriate security control.
