Senate to probe data breach in goverment agencies

MANILA, Philippines — The Senate is set to conduct an inquiry into the reported massive breach and exposure of sensitive information from the databases of the Philippine National Police (PNP), National Bureau of Investigation (NBI) and Bureau of Internal Revenue (BIR).

The probe was prompted by Resolution 573 filed by Sen. Bong Revilla, who expressed alarm over the report of vpnMentor, a leading cybersecurity research company, that records of 1,279,437 persons in the repository of law enforcement agencies, including sensitive police employee information, have been compromised in an unprecedented data breach.

The voluminous data hack has reportedly exposed 817.54 gigabytes of both applicant and employee records under multiple state agencies, including the PNP, NBI and BIR.

“This report is truly alarming. The data involved is very sensitive – fingerprint scans, tax identification numbers, birth certificates, and copies of passports. If these fell into the hands of bad people, it would be very easy for them to use them for scams and access other records, like those from banks,” Revilla said.

vpnMentor also bared the alleged breached documents were stored in a database that was unsecured and non-password protected, making it highly vulnerable to cyberattacks and ransomware.

The senator said data privacy and protection is a matter of national security and interest and it is imperative that Congress immediately exercise its oversight powers to ensure that existing laws on data privacy are religiously followed.

“We have existing laws, especially Republic Act 10173 or the Data Privacy Act of 2012, this should be enforced,” Revilla said.

Meanwhile, the NBI said they have conducted an investigation following the massive breach reported by vpnMentor on Thursday.

“We are reasonably certain that the alleged breach does not involve any of the NBI’s systems,” the NBI wrote.

The agency reassured the public that they give paramount importance to data privacy.

It added that they would continue to monitor and investigate the breach of data and will find and adapt new ways to keep information safe.

For his part, PNP chief Gen. Rodolfo Azurin Jr. has ordered the Anti-Cybecrime Group (ACG) to coordinate with the Department of Information and Communications Technology (DICT) on the alleged massive data breach at the PNP and other government departments.

“I hope the ACG is coordinating with DICT so we can trace where the hacking in our system came from,” he told reporters in San Fernando City, La Union.

For Azurin, it is important that they find out the extent of the documents that were leaked, which he warned could be used by those responsible in crimes. He said a data breach would sometimes compromise their system.

NPC not sure

As the National Privacy Commission (NPC) is still probing the alleged leak of documents containing personal data involving law enforcement, the privacy watchdog said it is still not sure if an unauthorized person was able to download the entire database.

“At this point of the investigation, we’re not sure that an unauthorized person got or managed to download the entire database,” NPC complaints and investigation division chief Michael Santos said over ANC. Santos said that according to Jeremiah Fowler, the cybersecurity researcher who published an article regarding the alleged massive data breach, the databases of concerned government agencies were not password-protected.

“As Mr. Fowler claimed, he saw that the database was not password-protected by using an IOT (internet of things) scanner. So he found that it was exposed. But he is not sure if someone downloaded the entire database,” Santos said. “Right now, what we have from Mr. Fowler is that the database was left exposed.”

The NPC called a meeting with concerned government agencies including the BIR, PNP, NBI and the Civil Service Commission (CSC) as part of its probe on the alleged leak of personal data.

“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” NPC Commissioner John Henry Naga said in a statement.

Meanwhile, the DICT said the Cybersecurity Bureau’s Philippine National Computer Emergency Response Team (NCERT) has also been investigating the alleged breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and NBI clearances, from a security researcher last Feb. 22.

It said the NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI for a period covering March 3 to 23, 2023. In a separate statement, the CSC assured the public that its system and database were not breached or attacked. — Catherine Talavera, Mark Ernest Villeza, Emmanuel Tupas