DICT ‘doubling down’ on probe into massive data breach in PNP

POPULAR POST

CryptoBilis presents ‘Bitcoin Pizza Day 2024’ in collaboration with...

An event to bring to-gather all fragmented cryptocurrency communities in the Philippines under one roof.

Olympus acceleration platform opens global launchpad for Filipino Web3...

The DFINITY Foundation (DFINITY), a Swiss not-for-profit research and development organization and key contributor to the Internet Computer Protocol (ICP) blockchain, has announced the launch of the Olympus, the first decentralized, on-chain global acceleration platform. 

Parallel TCG Planetfall, A Week After Its Release

The long-awaited expansion to the hit web3 space sci-fi TCG (Trading Card Game), Parallel, Planetfall has launched May 1 and it has been a week since it hit the virtual shelves. Let's see how it has fared on its first week from the perspective of the Parallel TCG players themselves.

Coins.ph’s PHPC Stablecoin Receives BSP Approval, a Game-Changer for...

In a groundbreaking development for the digital asset and fintech industry of the Philippines, Coins.ph, the leading cryptocurrency exchange in the country, announced it...

Illuvium launches Beta 4 with a $25M USD Airdrop...

Illuvium launches their Beta 4 with a $25M USD Airdrop Campaign

Coins.ph, XD Academy Team Up to Bring Global Bitcoin...

In a significant move to raise the bar for crypto education in the Philippines and widen access to innovative web3 learning tools, Coins.ph, the leading crypto exchange in the country, has joined forces with XD Academy, a global pioneer in web3 and cryptocurrency learning and certification.

The Philippine National Computer Emergency Response Team (NCERT) is “doubling down” in its probe into the alleged massive breach in the database of the Philippine National Police (PNP).

According to the Department of Information and Communications Technology (DICT), the NCERT, which is part of the agency’s Cybersecurity Bureau, is already investigating the data breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and National Bureau of Investigation clearances issued to government employees, from a security researcher last February 22.

“The said security researcher did not disclose to NCERT the source of the data and what information asset was compromised. Further, the information sent by the security researcher is identical to what was reported by Mr. Jeremiah Fowler and which has since been credited by recent news reports,” the DICT said, referring to the cybersecurity researcher at vpnMentor.

Fowler, in his article at vpnMentor, said the exposed 1.2 million records contained highly sensitive personally identifiable information. 

The NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI for a period covering March 3 to March 23.

“The DICT considers the incident as a grave concern that threatened the confidentiality, integrity, and privacy of user data,” the agency said.

The DICT reminded government agencies, private entities, and the public that cybersecurity should be” a concerted effort of everyone and all agencies are encouraged to seek assistance to help secure their respective cyber assets.”

“I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more,” Fowler said of the 817.54 gigabyte information.

“Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential,” he said.

The database appeared to contain a selection of records pertaining to the academic and/or personal history of each applicant or employee. Samples of records include copies of fingerprint scans, signatures, and required documents from government agencies.

Fowler warned that any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous as individuals whose data are exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.

He said it would be easy for criminals to apply for loans, credit or other financial crimes using the identity of these individuals and supporting documents.

“The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes,” he wrote.

He said he sent 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken, adding the NCERT responded to his messages.

“Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it,” he said.

He said the sensitive data was exposed for a minimum of six weeks, during which he did he best to have it secured.

‘No breach at NBI, BIR, CSC’

In a separate statement on April 20, the National Privacy Commission (NPC) said it gathered representatives the concerned government agencies, including the PNP, NBI, Bureau of Internal Revenue (BIR) and the Civil Service Commission (CSC), to address the alleged leak of personal data involving law enforcement agencies.

“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” Privacy Commissioner John Henry Naga said.

“However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlight in the report alleging the data leak,” he added.

To further investigate this matter, Naga said they issued an order to conduct an onsite investigation on the concerned data processing system of the PNP on April 24.

The NPC also ordered Fowler to appear before the commission on April 21.

“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data,” said Naga.

“I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he added.

The NPC also asked government agencies to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various circulars.

Subscribe to our newsletter

Its easy to be smart about crypto, allow us to send you weekly updates on digital assets, crypto, NFTs and fintech.

WANT TO KNOW MORE?

CryptoBilis presents ‘Bitcoin Pizza Day 2024’ in collaboration with Satoshi Labs...

An event to bring to-gather all fragmented cryptocurrency communities in the Philippines under one roof.

Olympus acceleration platform opens global launchpad for Filipino Web3 startups 

The DFINITY Foundation (DFINITY), a Swiss not-for-profit research and development organization and key contributor to the Internet Computer Protocol (ICP) blockchain, has announced the launch of the Olympus, the first decentralized, on-chain global acceleration platform. 

Parallel TCG Planetfall, A Week After Its Release

The long-awaited expansion to the hit web3 space sci-fi TCG (Trading Card Game), Parallel, Planetfall has launched May 1 and it has been a week since it hit the virtual shelves. Let's see how it has fared on its first week from the perspective of the Parallel TCG players themselves.

Illuvium launches Beta 4 with a $25M USD Airdrop Campaign

Illuvium launches their Beta 4 with a $25M USD Airdrop Campaign

Coins.ph, XD Academy Team Up to Bring Global Bitcoin Course to...

In a significant move to raise the bar for crypto education in the Philippines and widen access to innovative web3 learning tools, Coins.ph, the leading crypto exchange in the country, has joined forces with XD Academy, a global pioneer in web3 and cryptocurrency learning and certification.