Another file with 600 people's details exposed on the Government website

Two days ago I lodged a complaint at the Data Protection Office for a privacy breach regarding a spreadsheet on the Mauritian Government website (see article here). The said file revealed names, addresses, phone numbers, ID Card numbers along with other details.

After around 24 hours since the complaint, it seemed like officials "tried" to remedy the situation. I wasn't notified of anything, neither there was any public communiqué. I guess that's asking them too much for transparency. Never mind, after the 24 hours, the file contents were kind of modified. At first sight, some columns containing ID Card numbers, phone numbers etc were removed. However, recklessness continues on their end. How? Let's see.

Below is a snapshot when I first came across the file
list-1-compromised See, the third column C contains "comments" relating to some "application status", like "awaiting documents" etc. Seventh column G contained ID Card or Passport numbers. The last column N contained official remarks. As we can see the first entry had the following remarks:
App informed by phone on 28/03/06 he is no longer interested in ******** exam & refused to put it in writing upon our request

I had to remove the type of exam because it makes it too obvious. The point I want to highlight on this post is the seriousness of the breach. This document in NO WAY should have been online & publicly accessible. To note, the file has more than 9,000 entries, making details about all those people publicly accessible.

As stated earlier, after 24 hours or so, the file was edited. Reduced from 2.3MB to 672kB (^^,) ... Let's see what's been stripped.

list-2-compromised

This time several columns were removed, but, the person who edited the file didn't bother checking the 9,000+ entries. Again, maybe we're asking too much. You scroll down the page & alas you still find ID Card numbers lurking here & there, further down you would still see phone numbers.

Is that all? Nope. There's more.

Now, to add to the overall recklessness, there is another file around the same location that reveals 600 names, addresses & phone numbers etc. Aww! I should add the file seems to include both home & mobile numbers.

list-3-compromised

The Data Protection Office has been provided duly signed complaint forms regarding this matter along with supporting evidence. (It's been 48 hours now.) To remind, I was initially tipped-off this privacy blunder by someone who saw his name & phone number on the website and was anxious to know why so much is published. The person would like to keep his anonymity & I respect that.

Update 1

Following an article in Le Défi Quotidien, all links to the files have been removed. Aww! I can now mention it, the website was that of the Tourism Authority. See the footer section on the website, on the right it has a link mentioned as Directory. Previously, this section hosted all the spreadsheets (Excel) I mentioned in my two articles.


Share this post