A report surfaced Tuesday that more than 1.2 million records of non-password-protected databases from the Philippine National Police employee records were leaked in a data breach. Jeremiah Fowler, a cybersecurity researcher, said based on his research, the records were related to individuals who were employed or applied for work in law enforcement.
A total of 1.2 million records were exposed in the database, which has an overall size of 817.54 gigabytes.
These documents included paperwork from the PNP, National Bureau of Investigation, Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission, and others as well as biometric records such as fingerprints and signatures.
However, the Department of Information and Communications Technology (DICT) National Computer Emergency Response Team has informed the Civil Service Commission Integrated Records Management Office that the CSC system and database were not breached or attacked.
Commissioner Romeo Lumagui Jr. also assured the public the alleged breach did not happen in the Bureau of Internal Revenue.
The PNP said they were still verifying the alleged data leak. PNP Anti-Cyber Crime Group Director Brig. Gen. Sidney Hernia said they were still conducting assessment on the incident.
“We cannot categorically say at this time that there was leaked applicants’ data,” said Hernia.
“We are still conducting vulnerability assessment and penetrationtesting. We also requested complete access logs from PRSS (PNP Recruitment and Selection Service) to evaluate those logs.”
In reaction to the leak, Albay Rep. Joey Sarte Salceda said the country should consider doing away with the requirement of a Police or National Bureau of Investigation clearance for employment and other engagements.
“Frankly, the PNP and other law enforcement agencies should not be in the business of storing the personal data of law-abiding citizens. And besides, that distracts from their law enforcement functions,” said Salceda, chair of the House committee on ways and means.
“If you are involved in some crime, we can probably get your data easily anyway. Rather than putting ordinary law-abiding citizens through the hassle and expense of clearances, as well as the risk of data breach, why don’t we normalize due diligence among employers?”
At the same time, ACT Teachers Rep. France Castro echoed Salceda’s concern even as he denounced the massive data leak that exposed 1,279,437 records belonging to law enforcement agencies as revealed by cybersecurity research company VPNmentor.
“This has to be investigated by Congress because the very privacy and safety of our people are at stake here,” added Castro.
According to Fowler, also found in the database, were characterrecommendations, in the form of letters from courts and municipal mayors’ offices certifying that those individuals applying to work, and a selection of documents containing tax Identification numbers were also found.
Papers pertaining to internal communications also surfaced including documents and directives addressing law enforcement officers, which may or may not be confidential.
Fowler said he could not confirm the legitimacy or correctness of the leaked data but ensured his disclosure had served to safeguard the affected individuals.
“As an ethical researcher, I cannot further confirm or verify the accuracy or authenticity of these documents contained within this database. As such, I cannot guarantee that the contents of the documents are accurate or reliable,” said Fowler.
“As security researchers, our primary objective is to ensure the protection of data and to help secure any exposed data. It is crucial to emphasize that the information in question was readily accessible to individuals with an internet connection. I am confident that my responsible disclosure has served to safeguard the affected individuals,” he added.
Fowler also claimed that due to the amount of time from when the leak was discovered, reported, and closed, it was unclear exactly how long the database was publicly accessible.