MANILA, Philippines — The National Privacy Commission (NPC) is probing a website that falsely associated itself with the Land Transportation Office (LTO) after the driver and motor vehicle registration agency reported a possible breach of the data under its care.
“The NPC shall verify the incident and look into the extent of possible harm on LTO’s data subjects to determine how to best resolve the situation,” privacy commissioner Raymund Liboro said after the LTO’s data protection officer reported a possible breach on Nov. 10.
“NPC is coordinating with the data protection officer of the LTO for us to be provided with more details of the incident,” he added.
Liboro identified the website as lisensya.info, which carried the LTO’s official logo but did not have any declaration of privacy policy or information on who was responsible for the website.
The website provided a “driver’s license authenticator” and a “motor vehicle authenticator” which, through the mere input of a driver’s license number or motor vehicle file number, would show sensitive information such as the make, plate number, engine number, chassis number, registration expiry date and name of the owner.
Netizens claimed that the data the site provided were accurate, raising suspicions of a leak in the LTO’s database as these are the types of information the LTO collects from motorists for registration, the NPC said.
The NPC said it was also processing a cease-and-desist order against the website and warned the public not to disclose their personal data on the website, noting that it would most likely be taken down by Thursday.
The LTO released an advisory last week warning motorists against providing personal information to lisensya.info.
“The lisensya.info website is not operated by or connected to the LTO. For everyone’s safety, please do not provide sensitive information to unverified links or accounts,” the LTO said in its advisory.
In a related development, the NPC also warned against the repurposing of collected personal data in client or visitor contact-tracing forms and employee health declaration forms for direct marketing, profiling, or any other use or purpose beyond what is required for COVID-19 prevention and control.
The NPC said repurposing personal data is punishable under the Data Privacy Act and it had already received a number of complaints of business establishments mishandling or misusing their contact-tracing data, such as a customer’s name, home address, age, cell phone number and email address.