No hack, just a data leak.
The Department of Communications and Information Technology stressed this Tuesday following the reported alleged data breach involving over 1.2 million records of law enforcement agencies.
“It was not a hack. It was a data leak,” DICT Secretary Ivan Uy told ANC’s Headstart.
“A cybersecurity researcher… happened to find a site where there was no security. It was just open to the public,” he added.
Based on DICT’s investigation, the data leak came from the online recruitment portal of the Philippine National Police.
“It’s an employment portal or recruitment portal. The uploaded documents were the ones that were exposed,” Uy said.
“So, there was no hacking. It was an unsecured site that was just open, and anybody could see it.”
In a chance interview with Palace reporters, Uy also said there were “serious lapses in the procedure” of the PNP amid its wide-open recruitment system.
The National Privacy Commission is now handling the matter, the DICT chief added. The PNP’s IT department did not have knowledge about its recruitment page, Uy said.
The DICT has yet to discuss this with the PNP, Uy said, owing to the ongoing transition in the police force. The PNP leadership under new Police Chief Gen. Benjamin Acorda Jr. has yet to comment on the issue.
“Definitely, there were serious lapses in procedure. First: If you want to do that kind of system, you probably should get the permission of your IT department and the head of your agency, and they should have approved it. Even they (IT department) were not advised of it,” Uy said.
Cybersecurity firm VPNMentor reported last week the alleged “massive data breach” of employee and citizen records from the PNP, National Bureau of Investigation, Bureau of Internal Revenue, and Civil Service Commission.
According to the firm, the supposed compromised database contained highly sensitive personal information such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, and security clearance documents.
Uy clarified the data leak did not happen in other agencies, adding the site was “not professionally developed” and the project was a “mom-and-pop operation.”
“Because it is a government agency, they just adopted and used it without even consulting the DICT on what are the best practices and international standards in terms of cybersecurity and data protection,” he said.
Uy said the site had since been taken down.
The National Privacy Commission has also initiated an investigation to see if any protocols, laws, or rules were violated, he added.
Cybersecurity researcher Jeremiah Fowler found the existence of a non-password-protected database through an IOT search engine.
He has said the database was “publicly accessible” to anyone with the internet. With Charles Dantes