DICT ‘doubling down’ on probe into massive data breach in PNP

POPULAR POST

Coins.ph Marks 10th Anniversary with 10% Rewards on USDC

To celebrate Coins.ph’s 10th year as the Philippines' leading crypto platform, the exchange is giving users 10% rewards on USDC this February under its...

No NFT, No Entry – How Stanible got into...

Editor's Note: This is an op-ed from Stanible founder Harry Santos on the trials and tribulations of onboarding the general public and making them...

Empowering the Future: Web3PH Hosts Gathering for Tech Leaders

 In a groundbreaking initiative to propel the nation into the digital forefront, Web3PH, in collaboration with the Department of Information and Communications Technology (DICT)...

Superteam Philippines Accelerates Web3 Journey with Grand Launch Event

Superteam, the distributed talent layer of the Solana Ecosystem, officially launches its operations in the Philippines with a dynamic event at the Marquis Events...

Filipino gamers can win exciting rewards from Aura and...

Filipino gamers are offered fun and unique opportunities as Singapore-based Web3 gaming platform Aura has partnered with Web3 game The Red Village. Aura, the exclusive...

Web3 focused Metasports.GG holds industry screening for ‘GG The...

GG The Movie revolves around Seth, an aspiring professional esports player, who navigates the Philippine stigma and challenges in trying to achieve that goal.

The Philippine National Computer Emergency Response Team (NCERT) is “doubling down” in its probe into the alleged massive breach in the database of the Philippine National Police (PNP).

According to the Department of Information and Communications Technology (DICT), the NCERT, which is part of the agency’s Cybersecurity Bureau, is already investigating the data breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and National Bureau of Investigation clearances issued to government employees, from a security researcher last February 22.

“The said security researcher did not disclose to NCERT the source of the data and what information asset was compromised. Further, the information sent by the security researcher is identical to what was reported by Mr. Jeremiah Fowler and which has since been credited by recent news reports,” the DICT said, referring to the cybersecurity researcher at vpnMentor.

Fowler, in his article at vpnMentor, said the exposed 1.2 million records contained highly sensitive personally identifiable information. 

The NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI for a period covering March 3 to March 23.

“The DICT considers the incident as a grave concern that threatened the confidentiality, integrity, and privacy of user data,” the agency said.

The DICT reminded government agencies, private entities, and the public that cybersecurity should be” a concerted effort of everyone and all agencies are encouraged to seek assistance to help secure their respective cyber assets.”

“I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more,” Fowler said of the 817.54 gigabyte information.

“Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential,” he said.

The database appeared to contain a selection of records pertaining to the academic and/or personal history of each applicant or employee. Samples of records include copies of fingerprint scans, signatures, and required documents from government agencies.

Fowler warned that any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous as individuals whose data are exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.

He said it would be easy for criminals to apply for loans, credit or other financial crimes using the identity of these individuals and supporting documents.

“The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes,” he wrote.

He said he sent 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken, adding the NCERT responded to his messages.

“Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it,” he said.

He said the sensitive data was exposed for a minimum of six weeks, during which he did he best to have it secured.

‘No breach at NBI, BIR, CSC’

In a separate statement on April 20, the National Privacy Commission (NPC) said it gathered representatives the concerned government agencies, including the PNP, NBI, Bureau of Internal Revenue (BIR) and the Civil Service Commission (CSC), to address the alleged leak of personal data involving law enforcement agencies.

“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” Privacy Commissioner John Henry Naga said.

“However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlight in the report alleging the data leak,” he added.

To further investigate this matter, Naga said they issued an order to conduct an onsite investigation on the concerned data processing system of the PNP on April 24.

The NPC also ordered Fowler to appear before the commission on April 21.

“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data,” said Naga.

“I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he added.

The NPC also asked government agencies to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various circulars.

Subscribe to our newsletter

Its easy to be smart about crypto, allow us to send you weekly updates on digital assets, crypto, NFTs and fintech.

WANT TO KNOW MORE?