AMID an alleged leak of the personal data of employees of various government issues, the Department of Information and Communications Technology (DICT) yesterday told government agencies to enhance their cybersecurity measures to prevent a breach of their data processing systems.
“The DICT considers the incident as a grave concern that threatened the confidentiality, integrity, and privacy of user data. The department assures the public that investigation on the matter is underway. The department would also like to remind all government agencies to increase its cybersecurity measures and to coordinate with the DICT for further capacity building in this area,” the agency said in a statement.
It stressed that “cybersecurity should be a concerted effort of everyone and all agencies are encouraged to seek assistance to help secure their respective cyber assets.”
The National Privacy Commission (NPC), on the other hand, said it is set to conduct an onsite investigation of the data processing systems of the PNP and the National Bureau of Investigation (NBI) on April 24.
NPC Commissioner John Henry Naga yesterday met with representatives of the PNP, NBI, Civil Service Commission (CSC) and Bureau of Internal Revenue (BIR) following the report of cybersecurity research company vpnMentor that some 1.27 million records belonging to law enforcement agencies in the Philippines were compromised in an alleged massive data breach.
The vpnMentor has posted in its website a report written by cybersecurity researcher Jeremiah Fowler indicating that a data hack on government agencies exposed 817.54 gigabytes of records of applicants and employees of government agencies, including the PNP, the NBI, the BIR, the CSC and the PNP Special Action Force.
Fowler has said that the breached data included fingerprint scans, signatures, birth certificates, educational record transcripts, diplomas, tax filing records, passports and police identification cards.
The data breach also allegedly “included Republic of the Philippines justice department’s certification, local or regional court records, and the National Bureau of Investigation identification and clearance documents.”
Fowler also reported the existence of a non-password protected database containing over 1.2 million records of individuals who were employed or applied to work in law enforcement in the Philippines.
Naga said the NBI, BIR and CSC have said there were no breaches on their records based on their respective initial investigations and vulnerability tests.
But the PNP, according to Naga, “requested for time to validate and review its systems for possible security compromise considering that the police was highlight(ed) in the report alleging the data leak.”
Naga also said the Commission has invited Fowler to appear before the agency today to aid in its investigation.
BIR Commissioner Romeo D. Lumagui Jr., in a separate statement, assured the public that the alleged breach did not happen in the agency.
“The BIR has been exerting efforts to protect and maintain the security of its data. The Bureau has initiated response protocols to keep its data base protected. We are now in close coordination with the authorities and other government agencies to assist in mitigating the reported breach”, Lumagui said.
Naga said the recent report of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune from the threat of cyberattacks.
“We should remain in constant vigilance in protecting personal data,” Naga said as he called on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures.
“It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he said.
He added government agencies, such as the PNP, should strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various NPC circulars.
The DICT said the Philippine National Computer Emergency Response Team (NCERT) of the DICT Cybersecurity Bureau is investigating the alleged breach.
“The NCERT started its investigation on the alleged breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and NBI clearances, from a security researcher last February 22,” it said.
But, the DICT said, “the security researcher did not disclose to NCERT the source of the data and what information asset was compromised. Further, the information sent by the security researcher is identical to what was reported by Fowler and which has since been credited by recent news reports.”
The DICT said NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI between March 3 and 23.