No 'concrete evidence' yet 1.2-M records were leaked - privacy watchdog


Posted at Apr 21 2023 12:27 PM | Updated as of Apr 21 2023 11:31 PM

This image shows a scanned copy of a police officer’s national police clearance record. Courtesy of VPNMentor
This image shows a scanned copy of a police officer’s national police clearance record. Courtesy of VPNMentor

MANILA — There is no "concrete evidence" yet that more than 1.2 million records from multiple agencies were leaked, the country's privacy watchdog said Friday.

The National Privacy Commission, however, agreed with the findings of a cybersecurity firm that said the government data were unprotected.

"At this point, we still have no concrete evidence that indeed 1.2 million records [were] leaked. What we know now is that it was left exposed," lawyer Michael Santos, chief of NPC's complaints and investigation division, told ANC's "Rundown".

Cybersecurity firm VPNMentor reported this week the alleged "massive data breach" of employee and citizen records from the National Bureau of Investigation, Philippine National Police, Bureau of Internal Revenue and Civil Service Commission.

According to the firm, the supposed compromised database contained highly sensitive personal information such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts and security clearance documents.

"After looking at the initial artifacts... we are looking at the angle this could possibly be related to job applications or job recruitment," Santos said.

Government agencies have begun their probe into the reported data breach, with the Department of Information and Communications Technology calling the incident a "grave concern".

The BIR, CSC and NBI insisted the leak did not happen in their agencies.

"The BIR, CSC, NBI assured us after taking an internal look into their systems that... they didn't found any data breach in their systems," Santos said.

The NPC will be conducting an onsite investigation into PNP's data processing system on Monday.

"We expect first to be let into the data processing centers of the PNP to inspect their systems, to check their logs and to match data if indeed they are the ones collecting that information," Santos said.

"Given the set of data, of artifacts provided by the researcher, we will match it with their data processing system. If there's a match, we could possibly identify if indeed it was the processing systems of the PNP that was left exposed," he added.

Cybersecurity researcher Jeremiah Fowler found the existence of a non-password protected database through an IOT search engine.

He has said the database was "publicly accessible" to anyone with internet.

Watch more News on iWantTFC