MANILA (UPDATE) — Over 1.2 million records, including sensitive information of applicants and employees of multiple government agencies in the Philippines, have been leaked online, according to a cybersecurity firm.
VPNMentor said the "massive data breach" includes records from the National Bureau of Investigation, Philippine National Police and Bureau of Internal Revenue.
The 817.54 gigabytes leaked contained highly sensitive personal information such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts and security clearance documents, the firm said.
"Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities," VPNMentor said in a report.
"It would be easy for criminals to apply for loans, credit, or other financial crimes using the identity of these individuals and supporting documents."
Cybersecurity researcher Jeremiah Fowler, who found the existence of a non-password protected database, authored the report.
In an ANC interview Thursday, Fowler said he also found character recommendations, which came in the form of letters from courts and offices of municipal mayors, and documents containing tax identification numbers (TIN).
The database also contained internal directives addressing law enforcement officers.
"I didn't see anything that would be a threat to national security, for example," Fowler told "Rundown".
"But these were directives. Anytime you have a message coming from the top down? That's potentially sensitive information that you wouldn't want in the wrong hands."
He noted in his report that "exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes."
Fowler said that as a cybersecurity researcher, his objective is to help secure any exposed data.
"To describe it in the most simple way, we used IOT search engine. IOT engine is similar to Google, except it searches for connected devices... In this case, it was a cloud storage repository," he said.
Fowler also said the database was "publicly accessible" to anyone with internet.
"It doesn't take specialized knowledge to see this. You just have to know where to look," he said.
To authenticate his findings, he only viewed a limited sampling and did not extract any data.
Fowler has sent 15 responsible disclosure notices to multiple agencies but has not received an official response.
"It's not about naming and shaming and pointing the finger. It's about learning from a data exposure," he said.
"My best advice would be to learn, to grow and to take inventory of all the databases that you have and who has access to them."
PRIVACY WATCHDOG: NO BREACH SAY AGENCIES
The National Privacy Commission meanwhile met on Thursday with representatives of the agencies named in the alleged leak.
The NPC said the PNP, NBI, BIR and the Civil Service Commission have conducted their respective investigations and vulnerability tests.
While the NBI, CSC, and BIR have confirmed that there were no breaches on their part, the PNP requested more time to validate and review its systems for possible security compromise as the police was highlighted in the alleged data leak.
The NBI has denied the report of a data breach in its system.
"Based on the initial assessment of our IT people, so far we did not see a breach in our system. But our verification and monitoring are continuous," NBI spokesperson Atty. Giselle Dumlao said in a statement.
In a separate statement, Commissioner Romeo Lumagui said the alleged data breach did not happen in the Bureau of Internal Revenue.
"In reply to the alleged data breach that happened in three government agencies reported in newspapers today, April 20, 2023, Commissioner Romeo D. Lumagui, Jr. would like to assure the general public that the alleged breach did not happen in the Bureau of Internal Revenue (BIR)," the agency said in a statement.
But the BIR said it is working with the other agencies to mitigate a reported breach.
“The BIR has been exerting efforts to protect and maintain the security of its data. The Bureau has initiated response protocols to keep its database protected. We are now in close coordination with the authorities and other government agencies to assist in mitigating the reported breach”, Lumagui said.
For its part, the Philippine National Police said an investigation is underway.
“The data breach is being investigated by our ACG (Anti-Cybercrime Group). So we just have to wait, what happened at baka napasok yung ating system” said PNP Chief, General Rodolfo Azurin Jr in an interview with Camp Crame reporters.
The NPC meanwhile said it has ordered Fowler to appear before the
Commission on April 21 to aid their investigation.
“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data,” said Privacy Commissioner John Henry Naga.
The NPC added that government agencies, such as the PNP, should strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various NPC Circulars.
COMPROMISED SYSTEM IDENTIFIED
The Department of Information and Communications Technology said Thursday it has found "possible" compromised systems in some government agencies in the recent investigations of its Philippine National Computer Emergency Response Team (NCERT).
"NCERT identified several possible compromised systems in some government agencies in the course of its assessment and testing. With the investigation still underway, the Department commits to disclose the results of its probe to the public and relevant government agencies in due time and in a proper forum," the agency said.
DICT said the investigations were conducted after it received links to an Azure blob storage containing sample photos of IDs, including PNP and NBI clearances, from an unknown security researcher last February.
Although the source of the information was not disclosed, it appears to be similar to that of the recently reported by Fowler, it said.
The DICT said it considers the incident as a grave concern and assures the public that it is committed to protecting the country’s cyberspace from attacks.