DICT ‘doubling down’ on probe into massive data breach in PNP

POPULAR POST

The redemption of Kusho World: an NFT Project turned...

Kusho World rocked the world of Web3 during the pandemic as a project founded by an eager teen that quickly turned sour. The NFT...

DMAP to address digital skills gap, future-proofing workforce at...

Amidst the widening digital skills gap that threatens the competitiveness of its workforce, the Digital Marketing Association of the Philippines (DMAP), the country’s center of excellence and innovation in digital marketing, will focus on future-proofing the digital landscape at the ninth Digital Congress (DigiCon) on October 15-16, 2024, in Newport City, Metro Manila.

YGG Partners with Parallel TCG to Bring $100,000 Tournament...

Yield Guild Games (YGG), the web3 guild protocol, is partnering with Parallel TCG to bring the award-winning web3 title to the YGG Play Summit...

iThink Hackathon: Pump Up The Jam Demo Day &...

The iThink Hackathon: Pump Up The Jam concluded with a Demo Day & Business Mixer, showcasing blockchain-driven innovations. Hosted by content creator Papa Bii,...

Coins.ph Announces Philippine Stablecoin Launch on Solana

Coins.ph, the largest cryptocurrency exchange in the Philippines with 18 million users, today announced at Solana’s Breakpoint 2024 conference that PHPC, its fully backed and central bank regulated Philippine Peso stablecoin, will soon be supported on the Solana blockchain.

Sky Mavis Welcomes First Seven Studios to Ronin Forge,...

Games To Migrate from Immutable, Blast, Arbitrum, and Base blockchains

The Philippine National Computer Emergency Response Team (NCERT) is “doubling down” in its probe into the alleged massive breach in the database of the Philippine National Police (PNP).

According to the Department of Information and Communications Technology (DICT), the NCERT, which is part of the agency’s Cybersecurity Bureau, is already investigating the data breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and National Bureau of Investigation clearances issued to government employees, from a security researcher last February 22.

“The said security researcher did not disclose to NCERT the source of the data and what information asset was compromised. Further, the information sent by the security researcher is identical to what was reported by Mr. Jeremiah Fowler and which has since been credited by recent news reports,” the DICT said, referring to the cybersecurity researcher at vpnMentor.

Fowler, in his article at vpnMentor, said the exposed 1.2 million records contained highly sensitive personally identifiable information. 

The NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI for a period covering March 3 to March 23.

“The DICT considers the incident as a grave concern that threatened the confidentiality, integrity, and privacy of user data,” the agency said.

The DICT reminded government agencies, private entities, and the public that cybersecurity should be” a concerted effort of everyone and all agencies are encouraged to seek assistance to help secure their respective cyber assets.”

“I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more,” Fowler said of the 817.54 gigabyte information.

“Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential,” he said.

The database appeared to contain a selection of records pertaining to the academic and/or personal history of each applicant or employee. Samples of records include copies of fingerprint scans, signatures, and required documents from government agencies.

Fowler warned that any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous as individuals whose data are exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.

He said it would be easy for criminals to apply for loans, credit or other financial crimes using the identity of these individuals and supporting documents.

“The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes,” he wrote.

He said he sent 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken, adding the NCERT responded to his messages.

“Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it,” he said.

He said the sensitive data was exposed for a minimum of six weeks, during which he did he best to have it secured.

‘No breach at NBI, BIR, CSC’

In a separate statement on April 20, the National Privacy Commission (NPC) said it gathered representatives the concerned government agencies, including the PNP, NBI, Bureau of Internal Revenue (BIR) and the Civil Service Commission (CSC), to address the alleged leak of personal data involving law enforcement agencies.

“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” Privacy Commissioner John Henry Naga said.

“However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlight in the report alleging the data leak,” he added.

To further investigate this matter, Naga said they issued an order to conduct an onsite investigation on the concerned data processing system of the PNP on April 24.

The NPC also ordered Fowler to appear before the commission on April 21.

“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data,” said Naga.

“I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he added.

The NPC also asked government agencies to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various circulars.

Subscribe to our newsletter

Its easy to be smart about crypto, allow us to send you weekly updates on digital assets, crypto, NFTs and fintech.

WANT TO KNOW MORE?

DMAP to address digital skills gap, future-proofing workforce at DigiCon 2024

Amidst the widening digital skills gap that threatens the competitiveness of its workforce, the Digital Marketing Association of the Philippines (DMAP), the country’s center of excellence and innovation in digital marketing, will focus on future-proofing the digital landscape at the ninth Digital Congress (DigiCon) on October 15-16, 2024, in Newport City, Metro Manila.

Coins.ph Announces Philippine Stablecoin Launch on Solana

Coins.ph, the largest cryptocurrency exchange in the Philippines with 18 million users, today announced at Solana’s Breakpoint 2024 conference that PHPC, its fully backed and central bank regulated Philippine Peso stablecoin, will soon be supported on the Solana blockchain.

Sky Mavis Welcomes First Seven Studios to Ronin Forge, the Premier...

Games To Migrate from Immutable, Blast, Arbitrum, and Base blockchains