No hacking: DICT says data leak was from PNP portal

Davinci Maru and Job Manahan, ABS-CBN News

Posted at Apr 25 2023 02:00 PM | Updated as of Apr 25 2023 08:09 PM

This image shows a scanned copy of a police officer’s national police clearance record. Courtesy of VPNMentor
This image shows a scanned copy of a police officer’s national police clearance record. Courtesy of VPNMentor

MANILA (UPDATE) — No hacking.

The Department of Communications and Information Technology said this Tuesday regarding the alleged data breach involving over 1.2 million records of law enforcement agencies.

"It was not a hack. It was a data leak," DICT Secretary Ivan Uy told ANC's "Headstart".

"A cybersecurity researcher... happened to find a site where there was no security. It was just open to the public," he added.

Based on DICT's investigation, the data leak came from the online recruitment portal of the Philippine National Police. 

"It's an employment portal or recruitment portal. The uploaded documents were the ones that were exposed," Uy said.

"So, there was no hacking. It was an unsecured site that was just open and anybody could see it."


In a chance interview with Palace reporters, Uy said there were "serious lapses in the procedure" of the national police, given a widely-open system like that. 

The PNP's IT department did not have knowledge about its recruitment page, he said. 

The DICT chief said the matter is now being handled by the National Privacy Commission. 

"Hindi sila inabisuhan. So even that particular government agency, meron silang IT department na nag-aayos nito, hindi daw alam nila na may gumawa ng recruitment website para dito sa application for all of those," Uy told reporters, referring to the PNP.

"If you want to do that kind of system, dapat siguro nagpaalam kayo sa IT department niyo at sa head ng agency niyo, na gagawa kayo ng ganitong sistema. At dapat in-approve nila," he said.

"Pati yung IT department ng ahensya na 'yun, sila naabisuhan na mayroon palang sistema na ginawa?"

Those proven to be liable on this will be held accountable, Uy said, as this is supposedly a violation under the Data Privacy Act. 

The DICT has yet to discuss these concerns with the PNP, the official said, due to the ongoing transition in the police force. Gen. Benjamin Acorda assumed his position as the country's top cop just on Monday. 

ABS-CBN News reached out to the PNP, but it has yet to respond as of this story's posting. 

Cybersecurity firm VPNMentor reported last week the alleged "massive data breach" of employee and citizen records from the PNP, National Bureau of Investigation, Bureau of Internal Revenue and Civil Service Commission.

According to the firm, the supposed compromised database contained highly sensitive personal information such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts and security clearance documents.


Uy said the data leak did not happen in other agencies.

"PNP lang po. Applicants na maging police," he said.

Uy said the site was "not professionally developed" and the project was a "mom-and-pop operation".

"Because it is a government agency, they just adopted and used it without even consulting the DICT on what are the best practices and international standards in terms of cybersecurity and data protection," he said.

The site had since been taken down, the official said.

Cybersecurity researcher Jeremiah Fowler found the existence of a non-password protected database through an IOT search engine.

He said the database was "publicly accessible" to anyone with internet.

Watch more News on iWantTFC