Metro Manila (CNN Philippines, April 25) – The recruitment and selection service database of the national police is the focus of the probe on the supposed more than 1.2 million employee and application records, the National Privacy Commission (NPC) said on Tuesday.
Privacy Commissioner John Henry Naga said the National Bureau of Investigation, Bureau of Internal Revenue, and Civil Service Commission confirmed there was no breach in their systems.
Naga said investigation on the police repository began on Monday after a meeting with cybersecurity researcher Jeremiah Fowler last Friday. Naga said the database is the cloud storage for the police application portal.
“Yesterday (Monday) we went to PNP (Philippine National Police) naman to conduct our onsite investigation to compare yung binigay sa amin ni Mr. Fowler doon sa data na meron si PNP. So right now, we’re still verifying if magma-match yung dalawa, yung kay Mr. Fowler and yung sa PNP,” Naga told CNN Philippines.
[Translation: Yesterday we went to PNP to conduct our onsite investigation to compare the data given by Mr. Fowler with the one provided by PNP. So right now, we’re still verifying if those provided by Mr. Fowler and the PNP will match with each other.]
The Department of Information and Communications Technology earlier discounted hacking in the data leak as there were no attempts of security breach.
NPC also confirmed there was no breach or unauthorized access to the repository based on initial data. The commission is still verifying Fowler’ s claim that the cloud storage was not password protected.
“Chine-check din namin yung logs ng PNP up to this day. But remember nangyari yung event na ‘yan is sometime February. So, we still need to go back doon sa February na nag-start yung alleged na nagkaroon ng mismanagement ng site,” Naga said.
[Translation: We are also checking the logs of PNP up to this day. But remember, that event happened sometime in February. So, we still need to check back the February data, because that was the time when there was an alleged mismanagement of the site.]
Naga said two cases may be filed against those found responsible for the data leak.
“Under the Data Privacy Act of 2012, for this particular incident, dalawa ang nakikita namin na pwedeng case which is criminal prosecution. Number one is unauthorized access of personal information due to gross negligence. Number two if tinago nila, pwedeng concealment,” he noted.
