MANILA, Philippines – The National Privacy Commission (NPC) will meet with the Philippine National Police (PNP), the National Bureau of Investigation (NBI), and other concerned agencies on Thursday afternoon, April 20, over an alleged data breach involving 1.2 million records mostly of law enforcement applicants and employees. 

“The NPC takes this matter very seriously, and we are working closely with concerned agencies to investigate this issue thoroughly,” Privacy Commissioner John  Henry Naga said, referring to the report of cybersecurity firm VPNMentor published on Tuesday, April 18.

The closed door meeting, set at 1 pm on Thursday, will also involve the Civil Service Commission (CSC) and the Bureau of Internal Revenue (BIR).

Based on the VPNMentor report, documents from the CSC, BIR, and the Special Action Force Operations Management Division of the PNP were found in the alleged breach as well, likely as requirements for employment. The NPC said that they would likely issue a statement after the meeting.

Representatives from both the PNP and NBI have not affirmed the data breach, according to a CNN report. “We cannot categorically say at this time that there was a leaked applicants data,” and that they are “still conducting vulnerability assessment and penetration testing,” said PNP Anti-Cyber Crime Group chief Sidney Hernia.

Penetration testing is a cybersecurity practice that involves attempting to break through one’s own computer’s systems to check for vulnerabilities.

NBI spokesperson Giselle Dumlao said that based on the initial assessment of their IT staff, they have not seen a breach in their system. 

In a statement, BIR Commissioner Romeo Lumagui Jr. assured the public that his agency was not affected by a data breach.

“The BIR has been exerting efforts to protect and maintain the security of its data. The Bureau has initiated response protocols to keep its data base protected. We are now in close coordination with the authorities and other government agencies to assist in mitigating the reported breach,” he said in a statement on Thursday.

The CSC also said its database was not breached. “As of 10 am today (Thursday, April 20), the Department of Information and Communications Technology (DICT) National Computer Emergency Response Team (NCERT) has informed the Civil Service Commission (CSC) Integrated Records Management Office that the CSC system and database were not breached or attacked,” the commission said.

VPNMentor is the same cybersecurity group that, in July 2022, reported a vulnerability in Makati City’s “Proud Makatizen” website, a portal used to deliver COVID-19 vaccination registration services, among others. 

Here are key facts on the alleged PNP, NBI data breach:

• 1,279,437 records totaling 817.54GB exposed
• Records breached include “official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents,” tax filing records that included TIN data, employment recommendation letters, among others
• Documents are from either law enforcement applicants or employees in law enforcement roles
• Documents relating to internal directives addressing law enforcement officers

What is the danger for those exposed in the alleged data breach? 

VPNMentor said in its report: “Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities. It would be easy for criminals to apply for loans, credit, or other financial crimes using the identity of these individuals and supporting documents.”

The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes.”

Jeremiah Fowler, who discovered the vulnerability, said in an ANC interview that while both the “bad guys” and “good guys” are scanning for such vulnerabilities, the time that the database was exposed, may be “not as long as you would think.” His explanation is that, otherwise, the data in the database would already have been stolen and erased or locked up by a ransomware group. 

In his blog post, Fowler validated that the data may have been exposed for at least six weeks. 

Fowler also noted that it is “easier than you would imagine to make the mistake” of accidentally leaving a database exposed. He said he had been in the position of being on the side that’s trying to protect a database for a company. 

His best advice? “Now is the time to take a step back, examine all their databases under their control, and take a look at cybersecurity policies,” he said.

Fowler also said in his blog post: “As researchers, we maintain objectivity and do not insinuate any wrongdoing by law enforcement agencies in the Philippines or suggest that any officers were at risk due to the leaked records. I have attempted to initiate dialogue with relevant authorities but have not received an official response, making it challenging to pinpoint any parties potentially responsible for the data breach.”

He added: “I sent over 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken.”

He noted that he got a response from the Philippine National Computer Emergency Response Team, who thanked him, and indicated that they were trying to identify who was responsible for the data exposure. 

Those files should have been encrypted, he said. “Changing the culture is a good first step in that.” 

The Philippines has a history of data breaches including the 2016 Commision on Elections data leak, the 2019 passport data mess involving the Department of Foreign Affairs, a 2021 breach involving 345,000 documents from the Office of the Solicitor General of the Philippines, and in 2022, the exposure of the database of the Proud Makatizen site. 

A late 2022 Philstar.com report quoted Microsoft Philippines’ national technology and security officer Dale Jose saying: “The Philippines ranked 61st out of 194 countries in the ITU Global Cybersecurity Index. If you probe a bit deeper, one of the pillars we need to improve on the most is organizational measures, which refer to the nation’s cybersecurity strategy and its implementation.” – With a report from Ralf Rivas/Rappler.com