Philippine police employee records leaked in data breach
A DATABASE containing more than 1.2 million police records and 800 gigabytes of information on people who work or applied for employment in law enforcement in the Philippines appears to have been breached, according to a cyber-security researcher.
In a report posted on vpnMentor, cyber-security researcher Jeremiah Fowler said Philippine authorities should look into the data breach and find out who is behind it.
“Any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous,” he said.
“Individuals whose data are exposed could be potential victims of identity theft, phishing attacks and a range of other malicious activities.”
“There is a common assumption that a data breach is usually caused by an outside hacker,” Yeo Siang Tiong, Kaspersky general manager for Southeast Asia, said in an e-mailed reply to questions. “But this is not always the case. Sometimes, it can be traced back to intentional attacks. Or it can be the result of a simple oversight or an innocent mistake by individuals or flaws in a company’s infrastructure.”
“A data breach, which exposes confidential, sensitive or protected information to an unauthorized person, generally happens because of weaknesses in human behavior and technology,” he added.
Mr. Fowler said government agencies should conduct a comprehensive forensic audit on the exposed data.
The Philippine National Police Criminal Investigation and Detection Group (CIDG) did not immediately reply to a Viber message seeking comment.
Mr. Fowler said other highly sensitive information such as passports, birth and marriage certificates, academic transcripts and security clearance documents were also on the database.
There were also documents on tax identification numbers of law enforcers. He said the said data were available for public access for at least six weeks.
The cyber-security expert added that letters addressed to police officers that might be confidential were also available on the database.
“The availability of government records in an unsecured database raises concerns about a potential national security issue,” he said.
Mr. Fowler added that he had sent more than 15 notices about the data breach to several government agencies.
Only the Philippine National Computer Emergency Response Team responded, saying it would look into the issue.
In a report on April 17, global cyber-security firm Kaspersky said web attacks targeting entities in the Philippines rose to 492,567 in 2022 from 382,940 a year earlier.
“Last year was a period of reopening for most businesses in Southeast Asia and, unfortunately, so too for cyber-criminals,” Mr. Tiong said in an April 17 report.
The firm said human and technical errors were the main weaknesses of entities vulnerable to online attacks.
The Philippines ranked 23rd out of 250 countries that were most affected by data breaches, with a total of 523,684 leaked accounts in the third quarter of 2022, virtual private network service provider Surfshark said in a report on Oct. 28.
The country placed third worldwide in ransomware payments in 2021, with local organizations spending an average of P1.6 million, according to cyber-security firm Sophos.
The Banker’s Association of the Philippines (BAP) has said unauthorized withdrawals and transfers reached more than P1 billion in 2021 due to an uptick in cyber-crime incidents amid a coronavirus pandemic.
Interior and Local Government Secretary Benjamin C. Abalos, Jr. has said he would prioritize enhancing the Philippine police’s capabilities against cyber-crime.
He said he would seek new equipment and hire more technical experts for the police’s anti-cybercrime division.
The National Privacy Commission in December said it would work with the Cybercrime Investigation and Coordinating Center to come up with countermeasures to combat cyber-crime and data breaches.
“The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes,” Mr. Fowler said.
“It is crucial to emphasize that the information in question was readily accessible to individuals with an internet connection.” — John Victor D. Ordoñez