📢 Government Portal Privacy Concerns
🛑 Problem
Many government portals are exposing sensitive personal information about citizens that should not be freely accessible on the internet.
Unfortunately, most citizens don’t know who to contact or where to report these types of confidentiality breaches.
📝 Plan
In early April 2024, we discovered instances of sensitive data exposure. In response, we initiated a protocol to:
- Identify the owners, operators, or administrators of the affected portals.
- Notify them of the exposure and assist in understanding the risks involved.
⚖️ Legal Basis
Under Law 97 of 2008 from Puerto Rico, the Office of the Citizen’s Advocate (Ombudsman) is responsible for addressing such incidents and ensuring proper notification is made:
"Must notify such citizens of any system security breach, when the breached data banks contained, in whole or in part, their personal information records and the data was not protected with cryptographic keys beyond a password."
The link https://www.ombudsman.pr.gov/reclamaciones allows you to submit a report using a form.
This law reinforces the importance of protecting citizen data and promotes accountability in managing digital platforms. However...
Limitation: The law states “from their own personal information file” and does not cover “information belonging to others.”
![]() |
ScenarioThe "Chief Data Privacy Officer" urges citizens to report if they find personal information, such as Social Security numbers, on government portals. "We need your help in identifying personal information on our public web portals. Our citizens are unaware of older documents that contain PII that are being hosted on our systems." Note: When finding sensitive and personal information belonging to others, you have a civil obligation not to store the information after reporting the breach, nor to use the information for identity theft. During this CTF, no question is related to the content of the file containing personal information found, and we ask that even if you download the files, you do not open them without tools that extract information automatically. Upon finishing your participation in the CTF, you attest "I promise to permanently discard any information found." |
✅ Our goal is to educate, report responsibly, and empower citizens and administrators to handle digital privacy risks with care and urgency.