Makati City denies any data breach on the Proud Makatizen Covid-19 portal. The statement comes in response to reports that the website exposed the data of over 300,000 Makati residents.
In a statement, Makati City government spokesperson Don Michael Camiña said there is no data breach, adding that the server where the supposed data was exposed was used for testing, that it contained only fictitious test data, and that no actual personal data was leaked. It has since been deactivated.
This started when cybersecurity firm vpnMentor released a report that claims Proud Makatizen misconfigured an Amazon Web Services (AWS) S3 bucket. They said that security settings were not properly implemented and left its contents exposed and accessible to anyone with a web browser and technical skills.
The vulnerability exposed 39.7GB of data, composed of over 620,000 files, including photos of ID cards (that include full names, addresses, photos, nationalities, etc.) as well as private medical and financial documents and information. This exposed portal users to fraud and identity theft.
Camiña maintains that Makati City citizens have not been compromised. “We assure the residents that the city government of Makati is committed to protecting their personal information,” he added.