Alleged data breach in LTO portal affects data of clients, employees
(Updated: May 14, 2024, 2:20 p.m.)
The Land Transportation Office (LTO) has not yet released an official statement admitting nor debunking allegations of a security breach in its foreign-made information technology (IT) platform, Land Transportation Management System (LTMS), which circulated on social media in recent weeks.
The alleged LTO data breach information technology editor and IT head on April 20, saying 45,008 customer credentials and 8,442 LTO employee data have been possibly leaked and that the Department of Information and Communications Technology (DICT) “will be on top of this situation.”
Meanwhile, a Facebook post of Deep Web Konek (DWK), an alliance of cyberthreat intelligence advocates with over 11,000 followers on the popular social networking site on April 20, mentioned that it has monitored an alleged data breach involving the LTO in the past week.
“Yesterday, a user reported a breach on LTO with a sample from one of their Regional Offices. There were two reports within this week sent to DWK. The other was 34 gigabytes (GB) of data was compromised, which the team is still waiting for samples for checking,” a portion of the post read. However, both IT experts and the DBK admitted they are waiting for additional information to verify the data breach reports.
It can be recalled that the controversial P3.14 billion LTMS project, which was aimed at digitizing the core processes of the LTO, was awarded to the joint venture of German technology firm, Dermalog and three local companies: Holy Family Printing Corp., Microgenesis, and Verzontal Builders, Inc. in May 2018.
Just recently, the Supreme Court (SC) has submitted for resolution the petition filed by private citizens Gerald Domingo and Atty. Jose Carlito Montenegro, which sought to nullify the LTMS contract. The petitioners described the LTMS project as a flawed agreement that may eventually lead to a threat to national security and even a breach of informational privacy of the LTO data that includes private information of the agency’s clients. The petitioners also stressed that the LTMS remains incomplete and not fully functional due to defects in its design.
Aside from the cancellation of the LTMS contract, Domingo and Montenegro asked the SC to compel the LTO to blacklist Dermalog from participating in any public bidding process and file appropriate administrative and criminal cases against current and previous transportation officials involved in the said project.
The House Committee on Transportation has also conducted several hearings to discuss the irregularities of the LTMS contract, particularly on the red flags raised by the Commission on Audit (COA), which include project delays, advance payments, contract legality, and Dermalog’s possible link with other third-party providers.
Dermalog denies allegation
However, Dermalog said an investigation was conducted and found out that “there was no unauthorized access to the LTMS database and the user login data that was offered on the dark web originated from a phishing or malware attack that directly tapped access data on private computers and, in some cases, computers of employees in local LTO offices.”
Dermalog added that in this case, there is no evidence that supports the alarm being floated on social media. “The fact that user data of LTO users has allegedly appeared on the dark web does not imply that it originated from a leak within the LTMS database.”
“In fact, the opposite is true: A forensic examination of the data carried out by IT security experts concluded that there was in fact no data breach in the LTMS.”
Dermalog cleared that unauthorized access to the LTMS database was ruled out as a possible source of the data. “Instead, it was found that the data originated from a phishing or malware attack that directly tapped access data from infected private computers of end users and, in some cases, computers of employees of local LTO offices.”
Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.