PHILIPPINE LAWBYTES 130: WARNING:

The PAG-IBIG HDMF Website and the

PAG-IBIG Fund Chat Site are NOT
SECURE, copyright by Dr. Atty. Noel
G. Ramiscal
In the onslaught of typhoon Maring, I decided to brave the rising waters in Calamba at 5 in the morning to go to the
MCLE seminar series for my lecture to the PAG-IBIG HDMF lawyers at Petron Mega Plaza last September 12, 2017,
so as not to be late. On the way, I was informed by a UP IAJ person that they will have to confirm with PAG-IBIG if
the MCLE lectures would proceed since government agencies’ operations had been suspended by Malacañan. I
could not get out of the bus and turn back to my home which would be more than 40 kilometers away in the gusty
rain. We were stranded for almost four hours at the South Expressway particularly in the portion where the Alaska
plant is located, where the waters have risen alarmingly high. Fortunately, PAG-IBIG decided to go on with the
seminar and I kept affirming for the waters to recede so that the traffic would ease up. The Supreme Being heard my
prayers and we arrived safely at the venue.

For my lecture on “Operationalizing Data Privacy and Security Requirements under the Data Privacy Law”, I decided
to focus on PAG-IBIG HDMF’s online sites, programs and social media accounts. Since their Chief Information
Security Officer (who is an IT person) is not present in this lecture for lawyers, I could not do an informal audit of the
PAG-IBIG’s IT policies and practices that have legal repercussions. Instead, I apprised the lawyers present of several
technological and legal measures their agency must undertake to secure the personal information of their clients that
reside in their website or online repositories.

One of the highlights of my lecture is my presentation of the state of insecurity of several government and GOCCs’
websites. As for the PAG-IBIG, I showed two websites of concern. The first is the general website of PAG-IBIG
HDMF which was deemed by three browsers: Internet Explorer, Mozilla Firefox and Google Chrome to be insecure.
Using the techniques I employed in my GSIS exposés, I present photographic evidence I took here:
The Internet Explorer browser’s “Properties” reveals that the PAG-IBIG home site is
The import of these is that any PAG-IBIG member who logs in their name, email address and telephone number on
the chat site could have these pieces of personal information stolen from them and utilized for notorious or nefarious
purposes by hackers.

What is also of concern here is that when I asked the over 50 lawyers present if they knew about this, or even the
existence of the PAGIBIG Fund chat site, all of them apparently had no idea that this chat site existed. This is the
tragedy of PAG-IBIG. It is even bigger than the GSIS because all Philippine employees in the private and public
sector are supposed to be part of this Fund. Since it has grown so huge, keeping tabs of all the technological
measures and programs they maintain, and anticipating, analyzing and addressing the legal issues they pose has
become a daunting challenge.
It was clear that no lawyer present in my MCLE lecture even reviewed the Service Level Agreement (SLA) that PAG-
IBIG had with Telephilippines. I did some perfunctory investigation, and it appears that Telephilippines is connected
with TelePerformance which has a very active presence in the Philippines for many years.

Teleperformance has two policies that are crucial here.

The first is its “Legal Statement” which provides in part:

We implement technical and organizational security measures to protect the data we are managing against
accidental or deliberate manipulation, against data loss or destruction, and against access to these data by
unauthorized persons. Our security measures are constantly updated as technology advances.

The second is its “Privacy Policy” which states:

Information Security. Safeguards must be placed to protect Personal Data which safeguards may include physical
and environment security such as facilities, workstation and integrity access control; computer security such as
security devices and encryption; employee security awareness such as new hire and annual training. Every
Teleperformance Company must implement a risk assessment and must be accountable for the organizational,
policies and procedures and documentation requirements.

It is difficult to draw conclusions at this stage because no lawyer and no one present during my lecture could tell me
anything about the SLA between these two. But as the support of the PAG-IBIG Fund on this chat site, at the very
least, Telephilippines/Teleperformance should have warned or apprised the PAG-IBIG HDMF Fund administrators of
the necessity of securing and encrypting this chat site, as their policies clearly made them aware of the dangers of
having e-data breached!

To their credit, the PAG-IBIG HDMF lawyers acknowledged my findings and took my comments graciously. They had
focused so much on the financial risks of the PAG-IBIG Fund, it is only now that they are grappling with the IT risks.

When I opened the PAG-IBIG HDMF website today on different computers, there was an announcement that their
online services are undergoing “maintenance”. This is probably a sign that some of the lawyers took my findings
seriously and reported these to the pertinent officials who took down the online services. As I told them during my
lecture, I only have the best of intention in sharing my findings with them because I too, am a PAG-IBIG member, and
I have a great interest in seeing that the PAG-IBIG HDMF protect the personal information of all their members.

I trust that my lecture and my findings will actually result in PAG-IBIG HDMF Officials, BOT members and
management reassessing and remedying their website and other online services they offer to their members in terms
of online security and data privacy, taking into account the decision of the NPC relative to the COMELEC e-data
breach, and how that is being used in the current impeachment measures against the current COMELEC Chair.
PAG-IBIG officials and management should learn this lesson as fast as they can, even if its already four years too
late, or else their heads might be on the next chopping blocks carved by NPC.