THE ongoing investigation of the PhilHealth data breach, may be bolstered by two data privacy and cybersecurity advocacy groups if the Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) take their offer to join forces to take proactive measures in preparing Filipino consumers and institutions for the potential consequences of the breach.
The National Association of Data Protection Officers of the Philippines (NADPOP) and the Philippine Computer Emergency Response Team (PH-CERT) are offering third party support as they emphasize the need for DICT and NPC to provide guidance to affected consumers and institutions, even if only a fraction of the breach’s extent has been disclosed by the threat actors.
This breach, involving the Medusa malware attack discovered on September 22, raises significant concerns.
The scale of this incident is even greater than the 2016 Comelec data breach as it involves mandatory enrollment and monthly contributions of all working Filipinos. The emphasis here is on the pre-election breach done by Anonymous International and the data leak by Lulz Philippines.
“Compared to the Comelec data breach in 2016, the potential impact of this incident is even bigger as all working Filipinos are mandatorily enrolled, and need to pay monthly contributions. We urgently request the DICT and NPC that even if only a fraction of the extent of the breach has been revealed by the threat actors, they can already guide consumers, and institutions that use PhilHealth information on what to do in case their personal information was compromised by the breach,” said Sam Jacoba, President of the National Association of Data Protection Officers of the Philippines (NADPOP), the Philippines’ first advocacy group of Data Protection Officers.
As a reference, on March 27, 2016, the cyberattack on Comelec servers was launched by a group identifying itself as “Anonymous Philippines” against the website of the Philippine Commission on Elections (COMELEC).
This breach resulted in the defacement of the website, accompanied by a message emphasizing the need for enhanced security measures on the vote counting machines (VCM) intended for use in the upcoming May 9, 2016 Philippine general elections.
Interestingly, on the same day, another hacking group known as LulzSec Pilipinas emerged, sharing a web link claiming to provide access to the entire COMELEC database. They later updated their post to include three additional mirror links to the downloadable files within the database. Notably, the volume of data leaked by LulzSec Pilipinas amounted to a substantial 340 gigabytes.
Lito Averia, President of PH-CERT, agrees and stresses the importance of preparing PhilHealth members for potential worst-case scenarios, such as financial losses or identity theft.
Aside from the third-party support and assistance to PhilHealth in its ongoing breach investigation with the DICT and NPC. They emphasize the value of community support in safeguarding personal information and are ready to contribute their expertise in digital forensics and breach management.
Furthermore, NADPOP and PH-CERT have recently concluded the CyberSecConPH event, which gathered over 100 cybersecurity professionals and marked the initiation of a Cybersecurity Community of Practice in the Philippines.
They are also set to host an exclusive online conference on Governance, Risk, and Compliance (GRC) from October 25 to 27, aimed at enhancing the knowledge and skills of Data Protection Officers (DPOs) and Cybersecurity Professionals in countering both internal and external threats. This conference is by invitation only, catering to active NADPOP and PH-CERT community volunteers, members, and partners.
The Manila Bulletin, the largest English-language newspaper in the Philippines, has reported claims from an anonymous source suggesting that the servers of the Philippines Commission on Elections (COMELEC) were compromised on January 8th. According to the source, the attackers managed to obtain more than 60 GB of data.
This data allegedly included sensitive information such as usernames and PINs for vote-counting machines, as well as a range of other critical data, including network diagrams, IP addresses, a list of privileged users, domain admin credentials, password lists, access to the ballot handling dashboard, and QR code captures from the bureau of canvassers, complete with login and password details. Additionally, it was claimed to contain a roster of overseas absentee voters, the locations of all voting precincts along with board of canvassers’ details, configuration lists for the database, and a list of all user accounts for COMELEC personnel.
On January 10th, COMELEC issued a statement in which they stated they were presently scrutinizing these allegations. They also pointed out that the claim of “usernames and PINS of vote-counting machines” was questionable since COMELEC’s systems had not yet completed the configuration files, casting doubt on the credibility of the hacking allegations.
Furthermore, COMELEC noted that the Manila Bulletin had not provided evidence to substantiate its assertion that they had confirmed an ongoing hack.
