THE PNP yesterday said it is looking into the supposed breach of the personal information of its personnel and applicants through a massive data hack as reported by a cybersecurity research company.
In statement released through the PNP Public Information Office, PNP Anti-Cybercrime Group director Brig. Gen. Sydney Hernia said he cannot immediately say if data were indeed breached, but they are also not dismissing the report of cybersecurity research company vpnMentor that some 1.27 million records belonging to law enforcement agencies were compromised in the alleged data breach.
“We cannot categorically say at this time that there was a leaked applicants’ data. We are still conducting vulnerability assessment and penetration testing,” said Hernia, adding that they have already “requested complete access logs from PRSS (PNP Recruitment and Selection Service) to evaluate those logs.”
In a report posted in its website, vpnMentor said the data hack exposed 817.54 gigabytes of records of applicants and employees of government agencies, including the PNP, the National Bureau of Investigation, the Bureau of Internal Revenue, the Civil Service Commission, and the PNP Special Action Force.
It said the breached data included fingerprint scans, signatures, birth certificates, educational record transcripts, diplomas, tax filing records, passports and police identification cards.
“Included in the files were combined records certifying that there are no pending cases or criminal history for the officer,” it added.
The firm also said the data breach “included Republic of the Philippines justice department’s certification, local or regional court records, and the National Bureau of Investigation identification and clearance documents.”
vpnMentor said the breach of personal information of policemen and members of law enforcement agencies and other officials “can be dangerous” because “individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities” and “criminals would have an easy time to commit financial crimes using the stolen data.”
It added that “the availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes.”
vpnMentor is a team of 257 cybersecurity researchers, writers, and editors, dedicated to helping take back online freedom. It is based in over 20 countries across the globe. It started in 2014 “ as a way to help people protect their online privacy.”
It’s “mission,” as posted in its website, states: “It’s important to us that we not only provide expert reviews, but ones that are very much based on an average user’s experience. We perform ongoing tests to ensure we’re providing the most detailed and up-to-date VPN reviews and guides – and translate them into 29 languages. As part of our mission to promote internet freedom to people around the world, we’ve also created free tools to help verify your online security. Overall, we want to be your trusted source when it comes to finding the best VPNs, so you can browse the web protected, and on your own terms.”
The vpnMentor Research Lab works with data privacy agencies and computer emergency response teams to identify cyberthreats and help protect user data of businesses and organizations.
DATA BREACH
In the report, cybersecurity researcher Jeremiah Fowler reported the existence of a non-password protected database containing over 1.2 million records of individuals who were employed or applied to work in law enforcement in the Philippines.
Aside from the records breach, the vpnMentor said ancillary documents relating to the affairs and administration of law enforcement agencies in the Philippines were also compromised. These, it said, “contained highly sensitive personally identifiable information (PII).” “I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more,” Fowler said in his report.
The easily accessible database supposedly contained a selection of records pertaining to the academic and/or personal history of each applicant or employee, among them copies of fingerprint scans, signatures, and required documents from multiple state agencies, including the PNP, NBI, BIR, Special Action Force Operations Management Division, and the Civil Service Commission.
“The database also contained character recommendations, in the form of letters from courts and municipal mayors’ offices certifying that those individuals applying to work in law enforcement possessed a good moral character and had no prior criminal records.
Nearly all countries require some form of background check to work in law enforcement.
These documents are what is required in the Philippines. There was also a selection of documents containing Tax Identification Numbers (“TIN”) – a nine-digit number given to individual and corporate taxpayers by the tax authorities in the Philippines for identification and record-keeping purposes,” the report said.
It added that “the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential. As an example, these would be orders from top leadership of how to enforce what laws and what gets priority or additional training that is needed etc.”
Fowler said that “due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it. I can validate that the data was exposed for a minimum of six (6) weeks, during which I did my best to have it secured. To fully understand the extent and impact of the breach, a comprehensive forensic audit is necessary.”