The DICT’s **eGov ‘super app’** and its **eLGU platform**—used by **14 million Filipinos** and **924+ local government units (LGUs)**—were deployed **without signed contracts (MOAs/MOUs)** defining data protection responsibilities, breach reporting, or liability. An **internal audit (2025)** revealed **40 out of 85 eLGU-adopted LGUs had no agreements**, while **474 out of 973 iBPLS-adopted LGUs lacked complete MOAs**, exposing **unclear accountability** for data breaches. The system **collects excessive personal data upfront** (government IDs, live photos, signatures, addresses) even for basic services like viewing health centers, raising **proportionality concerns** under privacy laws. The absence of **Data Sharing Agreements (DSAs)** or formal policies leaves **no clear recourse for citizens** in case of breaches, despite **routine hacking incidents** (e.g., **19 government sites hacked in September 2025 protests**). DICT claims **no data is stored or shared** via eGovDX APIs, but **experts warn this creates legal ambiguity**, risking **COA disallowances** for irregular spending (e.g., **₱377.64M in contracts without enforceable agreements**). Former NPC officials highlight the **government’s poor track record** in breach accountability, citing unresolved cases like the **2016 Comelec hack**. The platform’s **lack of transparency** and **unmitigated risks** undermine trust in a system handling **sensitive citizen data** at scale.
Source: https://www.rappler.com/technology/egovph-app-no-contracts-data-breach-liabilities/
Department of Information and Communications Technology cybersecurity rating report: https://www.rankiteo.com/company/dictgovph
"id": "DIC2762527111925",
"linkid": "dictgovph",
"type": "Breach",
"date": "6/2016",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '14,000,000 (eGov app users as '
'of July 2025)',
'industry': 'Public Administration',
'location': 'Philippines',
'name': 'Department of Information and Communications '
'Technology (DICT)',
'type': 'Government Agency'},
{'customers_affected': '14,000,000',
'industry': 'E-Government',
'location': 'Philippines',
'name': 'eGov PH Super App',
'type': 'Digital Platform'},
{'industry': 'Local Government',
'location': 'Philippines (924+ LGUs)',
'name': 'eLGU Platform',
'type': 'Digital Service'},
{'industry': 'Public Services',
'location': 'Philippines (e.g., Quezon City, Pateros, '
'Laoag, Pinili, Cauayan, San Pablo City, '
'Bulacan, Calapan, Odiongan)',
'name': 'Local Government Units (LGUs) Using eLGU',
'size': '924+ LGUs (as of Oct 2025)',
'type': 'Government Entities'},
{'industry': 'Healthcare',
'location': 'Philippines',
'name': 'PhilHealth',
'type': 'Government Agency'},
{'industry': 'Housing/Finance',
'location': 'Philippines',
'name': 'PAG-IBIG Fund',
'type': 'Government Agency'},
{'industry': 'Taxation',
'location': 'Philippines',
'name': 'Bureau of Internal Revenue (BIR)',
'type': 'Government Agency'},
{'industry': 'Social Insurance',
'location': 'Philippines',
'name': 'Social Security System (SSS)',
'type': 'Government Agency'}],
'data_breach': {'personally_identifiable_information': 'Yes (extensive)',
'sensitivity_of_data': 'High (includes IDs, biometrics, and '
'passport details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Biometric Data (live photos, '
'signatures)',
'Government-Issued IDs',
'Contact Information']},
'date_detected': '2025',
'date_publicly_disclosed': '2025-06-05',
'description': 'A 2025 internal audit by the Department of Information and '
'Communications Technology (DICT) in the Philippines uncovered '
"that the eGov 'super app' and its eLGU (electronic Local "
'Government Unit) platform were deployed nationwide without '
'signed contracts (MOAs/MOUs) with LGUs. These contracts are '
'critical for defining data protection responsibilities, '
'breach reporting, and accountability. The audit highlights '
"'significant non-compliance' and 'unclear liability' risks, "
'especially as the platform collects excessive personal data '
'(e.g., government IDs, live photos, signatures) from 14 '
'million users—even for basic services like viewing health '
'center locations. The absence of agreements also raises '
'concerns about cybersecurity vulnerabilities, regulatory '
'compliance (e.g., Data Privacy Act), and potential '
'financial/legal repercussions. Former National Privacy '
'Commission (NPC) officials warn of systemic risks, including '
'difficulty assigning blame in breach scenarios, while DICT '
'Undersecretary David Almirol Jr. defends the rollout under '
'the Ease of Doing Business law (RA 11032), claiming contracts '
'are unnecessary.',
'impact': {'brand_reputation_impact': ['Erosion of public trust in eGov '
'platform',
'Perception of government negligence '
'in data protection',
'Potential backlash from 14M+ users'],
'data_compromised': ['Government IDs (e.g., driver’s license, '
'passport)',
'Live photos',
'Full names',
'Birthdates',
'Addresses',
'Signatures',
'Phone numbers',
'Emails',
'Gender',
'Passport details (for eTravel)'],
'identity_theft_risk': 'High (due to excessive collection of PII '
'without safeguards)',
'legal_liabilities': ['Violation of Data Privacy Act (Philippines)',
'Potential NPC (National Privacy Commission) '
'penalties',
'Lack of legal recourse for affected '
'citizens',
'Risk of lawsuits from data subjects'],
'operational_impact': ['Unclear liability for data breaches',
'Potential COA (Commission on Audit) '
'disallowances',
"Risk of 'irregular' budget usage",
'Lack of breach notification protocols',
'Difficulty in assigning accountability for '
'cybersecurity incidents'],
'payment_information_risk': 'Moderate (eTravel requires passport '
'details)',
'systems_affected': ['eGov PH Super App',
'eLGU Platform (924+ LGUs onboarded as of Oct '
'2025)',
'Single Sign-On (SSO) System',
'EGovDX Data Exchange APIs',
'iBPLS (Integrated Business Permits and '
'Licensing System)']},
'investigation_status': 'Ongoing (NPC would investigate post-breach; DICT '
'audit unresolved)',
'lessons_learned': ["Lack of contracts creates 'unclear liability' and "
'accountability gaps',
'Excessive data collection without proportionality '
'undermines trust',
'Ease of Doing Business mandates should not override data '
'protection',
'API-based data exchanges require explicit safeguards',
'Post-breach investigations are insufficient without '
'preventive agreements'],
'motivation': ['Rapid Deployment Under Ease of Doing Business Law (RA 11032)',
"Avoidance of 'Red Tape' (per ARTA advice)",
'Centralization of Government Services'],
'post_incident_analysis': {'corrective_actions': ['DICT claims audit findings '
"are 'resolved' (no "
'evidence provided)',
'Plan of action due by 09 '
'June 2025 (status unknown)',
'Potential COA '
'disallowances pending'],
'root_causes': ['Absence of enforceable contracts '
'(MOAs/MOUs) with LGUs',
"Overreliance on ARTA’s 'red tape' "
'exemption under RA 11032',
'Lack of Data Processing '
'Agreements (DPAs/DSAs)',
'Unclear delineation of data '
'controller/processor roles',
'Excessive data collection without '
'legal basis or proportionality',
'Weak cybersecurity governance in '
'EGovDX API integrations',
'Failure to adopt NPC’s 2020 '
'circular on data sharing '
'transparency']},
'recommendations': ['Execute uniform MOAs/MOUs with all LGUs to define '
'roles/responsibilities',
'Implement Data Sharing Agreements (DSAs) or Data '
'Processing Outsourcing Agreements (DPOAs)',
'Conduct proportionality assessments for data collection',
'Establish clear breach notification protocols',
'Publish transparent policies on data handling for users',
'Align with NPC guidelines and international best '
'practices (e.g., GDPR principles)',
'Address COA risks to avoid budget disallowances',
'Enhance cybersecurity measures (e.g., encryption, access '
'controls) for EGovDX APIs'],
'references': [{'date_accessed': '2025',
'source': 'Rappler',
'url': 'https://www.rappler.com'},
{'date_accessed': '2025',
'source': 'Department of Information and Communications '
'Technology (DICT) Internal Audit (2025)'},
{'source': 'Ease of Doing Business Law (RA 11032)'},
{'source': 'Data Privacy Act of 2012 (Philippines)'},
{'source': 'Joint Memorandum Circular (ARTA, DICT, DILG, DTI; '
'April 2021)'}],
'regulatory_compliance': {'regulations_violated': ['Data Privacy Act of 2012 '
'(Philippines)',
'Potential COA (Commission '
'on Audit) financial '
'regulations',
'NPC (National Privacy '
'Commission) guidelines on '
'data sharing'],
'regulatory_notifications': ['NPC would investigate '
'post-breach (per '
'DICT)',
'Audit demanded '
'corrective action by '
'09 June 2025']},
'response': {'communication_strategy': ['DICT Undersecretary David Almirol '
'Jr. defended rollout in media '
'interviews',
'No public advisory issued to users '
'about risks'],
'incident_response_plan_activated': 'No (per audit findings; no '
'clear protocols)',
'law_enforcement_notified': 'No (NPC would investigate '
'post-breach, per DICT)',
'remediation_measures': ["DICT claims audit issue 'resolved' "
'with Internal Audit Service (no '
'details provided)',
'Plan of action demanded by audit (due '
'09 June 2025)']},
'title': "DICT Internal Audit Reveals 'Significant Non-Compliance' in eGov "
'eLGU Platform Rollout Without Contracts',
'type': ['Data Privacy Violation',
'Regulatory Non-Compliance',
'Governance Failure',
'Excessive Data Collection'],
'vulnerability_exploited': ['Lack of Data Processing Agreements (DPAs/DSAs)',
'Absence of Memoranda of Agreement (MOAs) with '
'LGUs',
'Unclear Accountability Frameworks',
'Overcollection of Personal Data',
'Weak Cybersecurity Safeguards in Government '
'Systems']}