📢 Government Portal Privacy Concerns

🛑 Problem

Many government portals are exposing sensitive personal information about citizens that should not be freely accessible on the internet.

Unfortunately, most citizens don’t know who to contact or where to report these types of confidentiality breaches.


📝 Plan

In early April 2024, we discovered instances of sensitive data exposure. In response, we initiated a protocol to:


⚖️ Legal Basis

Under Law 97 of 2008 from Puerto Rico, the Office of the Citizen’s Advocate (Ombudsman) is responsible for addressing such incidents and ensuring proper notification is made:

"Must notify such citizens of any system security breach, when the breached data banks contained, in whole or in part, their personal information records and the data was not protected with cryptographic keys beyond a password."

The link https://www.ombudsman.pr.gov/reclamaciones allows you to submit a report using a form.

This law reinforces the importance of protecting citizen data and promotes accountability in managing digital platforms. However...

Limitation: The law states “from their own personal information file” and does not cover “information belonging to others.”

Chief Data Privacy Officer

Scenario

The "Chief Data Privacy Officer" urges citizens to report if they find personal information, such as Social Security numbers, on government portals.

"We need your help in identifying personal information on our public web portals. Our citizens are unaware of older documents that contain PII that are being hosted on our systems."

Note: When finding sensitive and personal information belonging to others, you have a civil obligation not to store the information after reporting the breach, nor to use the information for identity theft.


During this CTF, no question is related to the content of the file containing personal information found, and we ask that even if you download the files, you do not open them without tools that extract information automatically. Upon finishing your participation in the CTF, you attest "I promise to permanently discard any information found."


✅ Our goal is to educate, report responsibly, and empower citizens and administrators to handle digital privacy risks with care and urgency.