By Charles Dantes
A report has surfaced that more than 1.2 million records of non-password-protected databases from the Philippine National Police employee records were leaked in a data breach.
Jeremiah Fowler, a cybersecurity researcher, said that based on his research, the records were related to individuals who were employed or applied to work in law enforcement.
A total of 1.2 million of records were exposed in the database, which has an overall size of 817.54 gigabytes.
These documents included paperwork from the PNP, National Bureau of Investigation, Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission, and others as well as biometric records such as fingerprints and signatures.
The PNP and the government agencies affected by the data breach have yet to comment on the revelations as of posting time.
Also found in the database, Fowler said, were character recommendations, in the form of letters from courts and municipal mayors’ offices certifying that those individuals applying to work, and a selection of documents containing tax Identification numbers were also found.
Papers pertaining to internal communications also surfaced including documents and directives addressing law enforcement officers, which may or may not be confidential.
Fowler said that he cannot confirm the legitimacy or correctness of the leaked data, but ensured that his disclosure has served to safeguard the affected individuals.
“As an ethical researcher, I cannot further confirm or verify the accuracy or authenticity of these documents contained within this database. As such, I cannot guarantee that the contents of the documents are accurate or reliable,” said Fowler.
“As security researchers, our primary objective is to ensure the protection of data and to help secure any exposed data. It is crucial to emphasize that the information in question was readily accessible to individuals with an internet connection. I am confident that my responsible disclosure has served to safeguard the affected individuals,” he added.
Fowler also claimed that due to the amount of time from when the leak was discovered, reported, and closed, it is unclear exactly how long the database was publicly accessible.
“Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it. I can validate that the data was exposed for a minimum of 6 weeks, during which I did my best to have it secured. To fully understand the extent and impact of the breach, a comprehensive forensic audit is necessary,” said Fowler.