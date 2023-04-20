The privacy commission orders Jeremiah Fowler, the researcher who found the breach and published the VPNMentor report, to appear before it on Friday, April 21

MANILA, Philippines – The Philippine National Police (PNP) has “requested for time to validate and review its systems for possible security compromise” after it was “highlighted in [a] report alleging the data leak,” the National Privacy Commission (NPC) said on Thursday, April 20.

NPC officials met with representatives of government agencies, which cybersecurity company VPNMentor earlier identified as having been affected by the alleged data breach. They included the PNP, the National Bureau of Investigation, the Civil Service Commission, and the Bureau of Internal Revenue.

“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC, and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” the NPC said in a statement on Thursday.

The NBI, CSC, and BIR maintain that no breach happened in their systems.\

Prior to the meeting, CNN quoted PNP Anti-Cyber Crime Group chief Sidney Hernia as saying, “We cannot categorically say at this time that there was a leaked applicants data,” and that they were “still conducting vulnerability assessment and penetration testing.”

The NPC has also ordered Jeremiah Fowler, the researcher who found the breach and published the VPNMentor report, to appear before the commission on Friday, April 21. The privacy body will also be conducting an onsite investigation into the “concerned data processing system of the PNP” on April 24, headed by its complaints and investigation division.

Fowler earlier said in an ANC interview that, while both the “bad guys” and “good guys” are scanning for such vulnerabilities, the time that the database was exposed may be “not as long as you would think.” His explanation is that, otherwise, the data in the database would already have been stolen and erased or locked up by a ransomware group.

“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks,” NPC Commissioner John Henry Naga said.

“And people should maintain vigilance in protecting personal data. I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he added.

“Even as our probe is underway, the NPC strongly demands of these government agencies, such as the PNP, to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various NPC Circulars,” Naga said. – Rappler.com