A vulnerability was discovered on Proud Makatizen, a Covid-19 relief portal, that exposed data of over 300,000 Makati residents.
According to a report from vpnMentor, Proud Makatizen misconfigured an Amazon Web Services (AWS) S3 bucket, which exposed 39.7GB of data composed of over 620,000 files, including photos of ID cards (that include full names, addresses, photos, nationalities, etc.) as well as private medical and financial documents and information.
vpnMentor explains that Proud Makatizen was using an AWS S3 bucket, a popular enterprise cloud storage solution, to store data collected from its users. But they failed to properly implement the security settings which left the contents exposed and accessible by anyone with a web browser and technical skills.
vpnMentor discovered the vulnerability on March 30, 2022, and contacted the Philippines CERT (Computer Emergency Response Team) the following day. The vulnerability was fixed on April 7, 2022. The said data may have been exposed for almost 2 years, ranging from May 2020 to April 2022.
Over 300,000 Proud Makatizen users are potentially exposed to the data breach, involving over 620,000 files that included photos of ID cards, medical prescriptions, financial documents, and screenshots of bank transactions and proofs of payment. It potentially opens them to identity theft and fraud, phishing and smishing scams, and more.
Needless to say, concerned parties should wary of any suspicious SMS or calls, and avoid clicking on suspicious links from emails and text messages. For more information on how to protect yourself from smishing scams, go here.
Image Credit: Unsplash