Calls for accountability raised after reported law enforcement personnel data breach

April 20, 2023 - 4:47 PM
2114
Image by Biljana Jovanovic from Pixabay

Over a million private records from law enforcement agencies in the Philippines were found to be easily accessible through the Internet, according to a report from a cybersecurity research company.

Jeremiah Fowler, a cybersecurity researcher, stated this in a report on VPNMentor on April 18.

The report was about the alleged massive leakage of records of employees and applicants of different Philippines government agencies. These include the following:

  • Philippine National Police
  • National Bureau of Investigation
  • Bureau of Internal Revenue
  • Special Action Force Operations Management Division
  • Civil Service Commission

In the report, Fowler said that a total of 1,279,437 exposed records were contained in an 817.54 GB-sized database.

He also further described the supposedly personal and sensitive data as “readily accessible” online.

“As security researchers, our primary objective is to ensure the protection of data and to help secure any exposed data. It is crucial to emphasize that the information in question was readily accessible to individuals with an internet connection,” Fowler said.

In the report, he also said that such an amount of data has been exposed for a minimum of six weeks.

The cybersecurity researcher said that he tried his best to keep the data secure during this period.

The full report can be viewed through this link Philippines Police Employee Records Leaked Online in a Massive Data Breach (vpnmentor.com).

Privacy Commission’s response

In response to this report, the National Privacy Commission (NPC) said that it will meet with the PNP, NBI and other government agencies involved to conduct an investigation into this alleged data breach on law enforcement data.

The NPC stated that they are scheduled to meet on Thursday afternoon.

Privacy Commissioner John Henry Naga, meanwhile, reminded individuals or institutions who process personal data about the importance of data protection.

“As your data privacy authority, the NPC is fully committed to protecting personal information and assures the public that we will not leave a stone unturned in getting to the bottom of this alleged breach. We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect,” Naga said.

“Do not collect if you can’t protect,” the commissioner further emphasized.

Naga also assured the public that it will work closely with the law enforcement agencies and organizations involved in the alleged leakage.

“The NPC takes this matter very seriously, and we are working closely with all concerned agencies to investigate this issue thoroughly,” he said.

Calls for better cybersecurity measures, accountability

The clamor for the government to ramp up its cybersecurity measures was once again raised on social media following the report.

“For years, people have been clamoring for higher levels of cybersecurity for Philippine institutions! This is completely unacceptable,” a Twitter user said.

One Twitter user reacted to the part where Fowler mentioned that the private records were found in an unsecured database.

“My government doesn’t care about its citizens,” this user tweeted.

Several Filipinos, meanwhile, urged the government to be more proactive this time in finding the perpetrators.

“Somebody in the concerned government agencies must be held accountable for this, for not securing the data, for being incompetent and negligent,” a Filipino said on Twitter.

A Redditor, meanwhile, advised other Filipinos to change their passwords on their online accounts.

“Please change your Gcash, Maya, Binance, Grab, online banks, Lazada, Shopee, and other accounts. Much better remove ninyo yung link between your credit/debit card to third party apps para hindi kayo umiyak sa Tiktok. Also, use 2fa sms/email/facial verification if existing sa other mobile apps,” the Redditor said.

What are the types of data found?

In the report, Fowler categorized the types of information in the alleged database into the following:

  • Identification records of employees and applicants of government offices

These include academic histories of the victims, copies of fingerprint scans, signatures, and other important personal documents.

  • Internal directives within the government offices

These include internal orders, directives for additional training of officers, and other documents that may or may not be confidential