The Philippine National Computer Emergency Response Team (NCERT) is “doubling down” in its probe into the alleged massive breach in the database of the Philippine National Police (PNP).
According to the Department of Information and Communications Technology (DICT), the NCERT, which is part of the agency’s Cybersecurity Bureau, is already investigating the data breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and National Bureau of Investigation clearances issued to government employees, from a security researcher last February 22.
“The said security researcher did not disclose to NCERT the source of the data and what information asset was compromised. Further, the information sent by the security researcher is identical to what was reported by Mr. Jeremiah Fowler and which has since been credited by recent news reports,” the DICT said, referring to the cybersecurity researcher at vpnMentor.
Fowler, in his article at vpnMentor, said the exposed 1.2 million records contained highly sensitive personally identifiable information.
The NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI for a period covering March 3 to March 23.
“The DICT considers the incident as a grave concern that threatened the confidentiality, integrity, and privacy of user data,” the agency said.
The DICT reminded government agencies, private entities, and the public that cybersecurity should be” a concerted effort of everyone and all agencies are encouraged to seek assistance to help secure their respective cyber assets.”
“I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more,” Fowler said of the 817.54 gigabyte information.
“Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential,” he said.
The database appeared to contain a selection of records pertaining to the academic and/or personal history of each applicant or employee. Samples of records include copies of fingerprint scans, signatures, and required documents from government agencies.
Fowler warned that any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous as individuals whose data are exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.
He said it would be easy for criminals to apply for loans, credit or other financial crimes using the identity of these individuals and supporting documents.
“The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes,” he wrote.
He said he sent 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken, adding the NCERT responded to his messages.
“Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it,” he said.
He said the sensitive data was exposed for a minimum of six weeks, during which he did he best to have it secured.
‘No breach at NBI, BIR, CSC’
In a separate statement on April 20, the National Privacy Commission (NPC) said it gathered representatives the concerned government agencies, including the PNP, NBI, Bureau of Internal Revenue (BIR) and the Civil Service Commission (CSC), to address the alleged leak of personal data involving law enforcement agencies.
“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” Privacy Commissioner John Henry Naga said.
“However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlight in the report alleging the data leak,” he added.
To further investigate this matter, Naga said they issued an order to conduct an onsite investigation on the concerned data processing system of the PNP on April 24.
The NPC also ordered Fowler to appear before the commission on April 21.
“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data,” said Naga.
“I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he added.
The NPC also asked government agencies to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various circulars.