DICT says PNP records targeted by data expose
THE Department of Information and Communications Technology (DICT) expressed belief that the supposed leak targeted records from the Philippine National Police (PNP) database which may have compromised details of 1.2 million records of employees and applicants.
But according to DICT Secretary Atty. Ivan Uy, the said incident was not tagged by the National Computer Emergency Response Program (NCERP) as a data breach.
He also said that said the incident was reported in March to the NCERP.
“It was reported March pa so na inform na researcher na ito naginform sa CERT natin may nakita na data na nandun lang open lang sa internet so walang sinabi na na-hack o information basta nakatiwanwang,” Uy said, adding that it was open for the entire public to see.
(It was reported since March. So, our researcher was informed through the NCERP and what was said that it was just open in the internet so there is no so hacking or information and it was just there, exposed)
According to a report from Jeremiah Fowler at vpnmentor.com, the leaked data include documents of academic and personal history.
These include birth certificates, educational record transcripts, diplomas, tax filing records, passports and police identification cards. Copies of fingerprint scans, signatures, and required documents were also found.
Secretary Uy said that such information may have come from the human resources of the PNP.
However, the DICT secretary said that the information exposed to the web may have been simply downloaded or copied via USB, or the system had a weak password or security.
“Yan iniimbestigahan natin (We are investigating that). If may weak password or the information was due to negligence where they put such information to a server that has no or weak security features,” he added.
Secretary Uy said that the National Bureau of Investigation and the Bureau of Interanl Revenue may have been dragged since the documents or data from them were included in the information of each person.
“It does not mean that the NBI or the BIR system was hacked,” he said.
But Secretary Uy said that they have to verify the information especially claims that the number reached 1.2 million.
“I was only given a sample copy of 10 pages. And when we checked the link that was given to us, we can’t open it,” he said.
Secretary Uy said that they had already written to the Philippine National Police (PNP) with regards to the situation.
Fowler said that there were from different agencies like the PNP, National Bureau of Investigation (NBI), Bureau of Internal Revenue, Special Action Force Operations Management Division, and Civil Service Commission, amongst others.
Also contained in the leaked database were letters from court and municipal mayors’ offices recommending good moral character and certifying clear criminal records of individuals.
Some documents also contained tax identification numbers (TIN).
According to Fowler, documents of internal directives addressing law enforcement officers were also found in the leaked data.
Fowler said concerned individuals could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.
He added that criminals may use their identities for loans, credit, or other financial crimes using the identities of these individuals and supporting documents.
The National Privacy Commission (NPC) met with the Philippine National Police (PNP), National Bureau of Investigation (NBI), and other concerned agencies to investigate the alleged leak of documents containing personal data involving law enforcement.
It was also attended by representatives of NPC, PNP, Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR).
“As your data privacy authority, the NPC is fully committed to protecting personal information and assures the public that we will not leave a stone unturned in getting to the bottom of this alleged breach. We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect. Do not collect if you can’t protect,” Privacy Commissioner John Henry Naga said.
In light of the alleged records leak and breach, the NPC has taken swift action and called the PNP, requiring them to provide additional information and explanation regarding the incident.
“The NPC takes this matter very seriously, and we are working closely with all concerned agencies to investigate this issue thoroughly,” he added.
Catherine R. Cueto