Metro Manila (CNN Philippines, April 19) — The Philippine National Police (PNP) and the National Bureau of Investigation (NBI) are still verifying Tuesday’s alleged massive data breach, where over 1.2 million applicant and employee records of various agencies were supposedly leaked.
In a report on cybersecurity research company vpnMentor, researcher Jeremiah Fowler said a database with a total size of 817.54 gigabytes containing 1,279,437 records relating to affairs of law enforcement agencies had been exposed.
Fowler said he could \”validate that the data was exposed for a minimum of 6 weeks, during which I did my best to have it secured.\”
He added that a comprehensive forensic audit is \”necessary.\”
\”Samples of records include copies of fingerprint scans, signatures, and required documents from multiple Philippine state agencies including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission, amongst others,\” he wrote.
The cybersecurity researcher added that the database contained character recommendations that certified applicants possessed a good moral character and had no prior criminal records, and a selection of documents containing Tax Identification Numbers (TIN).
\”We cannot categorically say at this time that there was a leaked applicants data,” said PBGen. Sidney Hernia, the director of PNP’s Anti-Cyber Crime Group. \”We are still conducting vulnerability assessment and penetration testing. We also requested complete access logs from PRSS (PNP Recruitment and Selection Service) to evaluate those logs.\”
\”Based on the initial assessment of our IT people, so far wala kaming nakitang breach sa aming system but continuous ang aming verification at monitoring [we did not see any breach on our system but our verification and monitoring continue],\” said NBI spokesperson Giselle Dumlao.
The BIR has yet to issue a statement while the CSC has yet to respond to CNN Philippines’ request for comment.
Fowler said he made attempts to talk with relevant authorities but did not receive an official response.
“Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it,” he said.
Fowler warned individuals whose data were leaked could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.
