Two days ago I lodged a complaint at the Data Protection Office for a privacy breach regarding a spreadsheet on the Mauritian Government website (see article here). The said file revealed names, addresses, phone numbers, ID Card numbers along with other details.
After around 24 hours since the complaint, it seemed like officials “tried” to remedy the situation. I wasn’t notified of anything, neither there was any public communiqué. I guess that’s asking them too much for transparency. Never mind, after the 24 hours, the file contents were kind of modified. At first sight, some columns containing ID Card numbers, phone numbers etc were removed. However, recklessness continues on their end. How? Let’s see.
See, the third column C contains “comments” relating to some “application status”, like “awaiting documents” etc. Seventh column G contained ID Card or Passport numbers. The last column N contained official remarks. As we can see the first entry had the following remarks:
I had to remove the type of exam because it makes it too obvious. The point I want to highlight on this post is the seriousness of the breach. This document in NO WAY should have been online & publicly accessible. To note, the file has more than 9,000 entries, making details about all those people publicly accessible.
As stated earlier, after 24 hours or so, the file was edited. Reduced from 2.3MB to 672kB (^^,) … Let’s see what’s been stripped.
This time several columns were removed, but, the person who edited the file didn’t bother checking the 9,000+ entries. Again, maybe we’re asking too much. You scroll down the page & alas you still find ID Card numbers lurking here & there, further down you would still see phone numbers.
Is that all? Nope. There's more.
Now, to add to the overall recklessness, there is another file around the same location that reveals 600 names, addresses & phone numbers etc. Aww! I should add the file seems to include both home & mobile numbers.
Following an article in Le Défi Quotidien, all links to the files have been removed. Aww! I can now mention it, the website was that of the Tourism Authority. See the footer section on the website, on the right it has a link mentioned as Directory. Previously, this section hosted all the spreadsheets (Excel) I mentioned in my two articles.