MANILA — It may be difficult to run after the criminals behind the malware attack on the Philippine Health Insurance Corp., according to the secretary of Department of Information and Communications Technology.

DICT Secretary Ivan John Uy said the government's investigation into the breach that may have affected the data of millions of PhilHealth members includes finding out who was behind the cyberattack.

"If these are operating from third countries that are a safe haven for them, hindi po natin mapi-pin down iyon. Ma-iidentify po namin at kadalasan ay ma-identify lang po natin ang group, pero hindi iyong individual," he said.

(If they are operating from third countries that are a safe haven for them, we will not be able to pin them down. We can identify — and usually we can just identify the group, but not the individual.)

"[K]adalasan po ay it's a group effort. Sindikato po or state sponsored, hindi po natin alam iyan. That is part of our investigation."

(Often, it's a group effort. Syndicate or state sponsored, we don't know yet. That is part of our investigation.)

• NPC promises accountability, prosecution over PhilHealth data breach

Don't click links to 'leaked data'

The DICT also urged the public not to click on links promising access to the leaked data since these may be being used as bait by syndicates.

Clicking the links might activate malware that will expose more computer systems to attacks.

"Iyong mga curious: 'Naku, andyan ba iyong pangalan ko sa listahan na iyan? Andito iyong listahan at puwede natin i-download.' Naka-embed ngayon iyong back door," Uy warned.

Millions may have been affected

Speaking on the sidelines of of the launch of Cybersecurity Month on Monday, DICT Undersecretary Jeffrey Ian Dy said the data of millions of members may have been exposed in the more than 600 GB of data that was affected.

"Na-analyze na namin. Actually, we're almost 90 percent na. We've seen a lot of those files with questionable extensions," he said.

He did not give an exact number of accounts affected, saying they saw duplicate entries and that the National Privacy Commission is investigating the breach.

PhilHealth membership is mandatory for most employed Filipinos.

DICt Secretary Uy said that only PhilHealth employees' workstations were breached but not the state insurer's server.

"Ang sistema ng PhilHealth ay medyo luma na at may iba diyan — bago nila ma-transact iyong data ninyo, iyong work stations kailangan ng download ng information mo from the server. So, may workstations po na na-kompromiso, so maaaring doon mangggaling ang leak — kung mayroon man — na data ng miyembro," Uy said.

Uy also urged also government agencies to beef up their cybersecurity measures, saying that the DICT cannot monitor hundreds of government agencies and local government units.

He said all units need to have at least a cybersecurity officer.

• DICT: National government agencies need own cybersecurity teams

ACT Teachers: Hire people, buy equipment instead

In an interview on TeleRadyo Serbisyo on Sunday, DICT Undersecretary Dy stressed the importance of confidential funds in their agency to fight data leaks and other ransomware attacks.

The agency is asking for P300 million for next year.

In a statement on Monday, ACT Teachers party-list Rep. France Castro said that the DICT should ask for more money to hire more people instead of for confidential funds.

Confidential funds, which are meant for surveillance activities, are subject to audit but are closed to public scrutiny because of national security considerations.

"[E]ven with the P400 million in 2019 and P800 million (in 2020) in the confidential fund of the Department of Information and Communication Technology, scammers and hackers are still proliferating, a glaring example of which is the cyber attack on Philhealth," she said.

"If the DICT is saying that they are undermanned to check or safeguard Philippine cyberspace then they should hire more personnel rather than ask for the untransparent confidential fund."

She said that it would be better for funding to go to the Philippine National Police and National Bureau of Investigation — both have cybercrime units — or to experts and equipment for DICT.