OSG probes online data breach

MANILA, Philippines — The Office of the Solicitor General is looking into the reported online data breach of OSG documents containing sensitive information, Justice Secretary Menardo Guevarra said yesterday.

On April 30, British cybersecurity firm TurgenSec revealed that around 345,000 OSG files were made accessible to the public online in the past two months.

Turgensec said the files included staff training documents, internal passwords and policies, staffing payment information as well as financial processes and audits.

TurgenSec reportedly learned about the data breach in February when a “third party” whistle-blower allegedly sent the files for examination.

“Anyone with a web browser and internet connection could search for the data,” TurgenSec said.

The security company based in London said it informed the OSG and Department of Justice (DOJ) about the data breach through e-mail on March 1 and 24 but did not receive a reply.

Guevarra said the DOJ has not received official information on the supposed data breach.

“I understand that the Solicitor General’s office is now looking into the alleged data breach. The DOJ will be ready to assist the OSG, if necessary,” he said.

The OSG said it has yet to verify the data breach.

“The OSG will protect the confidential and sensitive information contained in its submissions before the courts,” the OSG said.

The OSG is handling legal cases filed before the DOJ, Court of Appeals and Supreme Court against government officials.

TurgenSec said the documents were removed on April 28, but did not discount the possibility that some could still be found on the web.

The documents that were released online reportedly mentioned the words “rape” 774 times, “execution” 437 times and “trafficking” 135 times.

Some of the documents carried sensitive passwords as well as topics such as drugs, abuse, intelligence, terrorism, opposition, nuke, quarantine and COVID-19.

TurgenSec believes that the data might have ended up online because of a misconfigured server or when an administrator accidentally set a group of documents to “public” instead of “private.”

The company called on the OSG to submit the breached data to digital forensics experts to check the extent of the breach and if there were any data compromised by the leak.

It also urged the OSG to declare if any files pertaining to British citizens were included in the leaked data.

The OSG website was also hacked last December.