Philippine privacy agency to probe police data leak

THE NATIONAL Privacy Commission (NPC) on Thursday said it would look into a reported data breach of police records and information on people who work or applied for employment in law enforcement in the Philippines.

In a statement, the agency said it would meet with the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR) and Civil Service Commission (CSC) on Thursday to discuss the data leak.

“As your data privacy authority, the NPC is fully committed to protecting personal information and assures the public that we will not leave a stone unturned in getting to the bottom of this alleged breach,” Privacy Commissioner John Henry Naga said.

“We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect.”

In a report posted on the vpnMentor website on Tuesday, cyber-security researcher Jeremiah Fowler said more than 1.2 million police records and 800 gigabytes of information on people who work or applied for employment in law enforcement in the Philippines were publicly available on a database.

He said government agencies should conduct a comprehensive forensic audit of the exposed data.

Albay Rep. and House ways and means committee chairman Jose Maria Clemente S. Salceda said the NBI should scrap the police clearance requirement after the data breach.

“If you are involved in some crime, we can probably get your data easily anyway,” he said in a statement on Thursday.

“Rather than putting ordinary law-abiding citizens through the hassle and expense of clearances, as well as the risk of data breach, why don’t we normalize due diligence among employers?”

In a separate statement, Internal Revenue Commissioner Romeo D. Lumagui, Jr. assured that there was no breach at the agency.

“The bureau has initiated response protocols to keep its database protected,” he said. “We are now in close coordination with the authorities and other government agencies to assist in mitigating the reported breach.”

The database also contained documents on tax identification numbers of law enforcers, which was available for at least six weeks, according to the report.

Mr. Fowler said exposed police records could allow criminals to blackmail members of law enforcement, among other criminal schemes. — 

In a report on April 17, global cyber-security firm Kaspersky said web attacks targeting entities in the Philippines rose to 492,567 in 2022 from 382,940 a year earlier.

The country placed third worldwide in ransomware payments in 2021, with local organizations spending an average of P1.6 million, according to cyber-security firm Sophos.

The Philippines ranked 23rd out of 250 countries that were most affected by data breaches, with 523,684 leaked accounts in the third quarter of 2022, virtual private network service provider Surfshark said in a report on Oct. 28.

In December, the Privacy Commission said it would work with the Cybercrime Investigation and Coordinating Center to come up with countermeasures to combat cyber-crime and data breaches.

“The NPC will continue to work closely with the PNP, NBI and other concerned agencies to ensure that appropriate actions are taken to prevent similar incidents from happening in the future,” it said.

Meanwhile, the Department of Information and Communications Technology (DICT) said it was doubling down on its investigation of the breach.

The National Computer Emergency Response Team (NCERT) started its probe after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and NBI clearances, from a security researcher on Feb. 22, DICT said in a statement.

The security researcher did not disclose to the team the source of the data and what information asset had been compromised.

“The information sent by the security researcher is identical to what was reported by Jeremiah Fowler and which has since been credited by recent news reports,” DICT said.

The NCERT provided an incident report on the breach to both PNP and NBI on March 3 to 23, it added.

“The DICT considers the incident a grave concern that threatened the confidentiality, integrity and privacy of user data.,” it said. “The department assures the public that investigation on the matter is under way.”

“The department would like to remind all government agencies to increase their cyber-security measures and to coordinate with the DICT for further capacity building in this area,” it added. — John Victor D. Ordoñez