Don’t collect data you can’t protect: Philippine privacy commissioner

The comments come as authorities are investigating the reported compromise of a database containing personal information for over a million individuals.

Dexter Cabalza

Dexter Cabalza

Philippine Daily Inquirer

3-2.jpg

John Henry Naga —Photo from National Privacy Commission facebook page

April 21, 2023

MANILA – Authorities are trying to get to the bottom of the reported exposure of the database managed by the Philippine National Police that may have compromised the personal information of more than a million people between January and March this year.

A group of information technology professionals said the breach, as reported by a cybersecurity tracker based outside the country on Tuesday, had raised doubts about the ability of government agencies to protect data collected from the public, especially with the implementation of the SIM Registration Act.

On Thursday, the National Privacy Commission (NPC) said it had met with the PNP, National Bureau of Investigation and other concerned agencies to investigate the alleged exposure of about 1.2 million documents containing the personal data of PNP personnel and applicants.

READ: Over 1M records from NBI, PNP, other agencies leaked in massive data breach

“As your data privacy authority, the NPC is fully committed to protecting personal information and assures the public that we will not leave a stone unturned in getting to the bottom of this alleged breach,” NPC commissioner John Henry Naga said in a statement.

“We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect. Do not collect if you can’t protect,” Naga added.

No password protection
In a report published on the vpnMentor website, cybersecurity researcher Jeremiah Fowler said the nonpassword-protected database was exposed online for at least six weeks before restrictions were restored in the second week of March, after he alerted the PNP about it.

The 817.54-gigabyte database contained scanned and photographed images of original documents that included birth certificates, educational record transcripts, diplomas, tax filing records, passport and police identification cards.

Some of them were clearances issued by the PNP, the NBI, the Bureau of Internal Revenue (BIR) and the Civil Service Commission (CSC), which mostly contain fingerprint scans and signatures.

“Any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous. Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities,” Fowler said.

In a message to the Inquirer, Michael Santos, chief of the NPC’s Complaints and Investigation Division, said “we are just at the initial stage of investigation to first verify if there is a leak, and if so, how large and what data is involved and who suffered a breach.”

ACG, DICT probes
The NPC has sought an explanation from the concerned agencies, Santos said, adding: “In case the hack was made possible due to gross negligence, the person responsible may be made liable.”

Police Brig. Gen. Sidney Hernia, director of the PNP Anti-Cybercrime Group (ACG), maintained that “we cannot categorically say at this time that there was a leak” pending the results of the “vulnerability assessment and penetration testing” on the PNP systems.

The ACG, Hernia said, has requested complete access to evaluate the logs in the system of the PNP’s Recruitment and Selection Service, which operates the portal where applicants file forms online, including the document attachments in the data leak reported by Fowler.

The Department of Information and Communications Technology (DICT) has also launched a parallel investigation, according to Secretary Ivan Uy.

The DICT’s National Computer Emergency Response Team did not classify the incident as a data breach when it was first reported to the agency in March, Uy explained. While the documents issued by the NBI, BIR and CSC may have been exposed, it doesn’t necessarily mean that the systems of these agencies have been hacked, he added.

Common during pandemic
In an interview on ANC on Thursday, Fowler said that for a certain period the PNP database “was publicly accessible to anyone with an internet connection and some open-source browsing tools. It doesn’t take specialized knowledge to see this; you just have to know where to look.”

Fowler said it was possible that the data breach was the result of a “mistake” on the part of the government agency or the third-party cloud storage provider that kept the database. “In my personal opinion, more than likely it belonged to someone who was authorized to manage to handle these documents.”

According to Fowler, “during the pandemic there was a tidal wave of data breaches, because companies would open up access to the remote employees, and not realize that they accidentally opened the entire database for everyone.”

PNP ‘complacency’
Meanwhile, a group of information communication and technology professionals in the country called for a review of the Data Privacy Act of 2012 to keep its implementation abreast of the latest technology.

In a statement on Thursday, the Computer Practitioners’ Union said concerned agencies should immediately inform potential victims of the data breach about “the risks they were exposed to because of the PNP’s complacency,” by promptly securing all their personal accounts such as emails, bank accounts and digital applications.

“If the DICT—which is tasked to conduct security audits on the PTEs’ (public telecommunication entities) SIM Registers/databases—was not able to detect in its supposedly regular security testing the holes in the PNP’s database, how can we trust that they can competently ensure the security of our data?” the group said, referring to the ongoing registration of SIM cards required of mobile phone users.

“If the PNP is so complacent as to leave their database without a password, and the DICT was not able to prevent the leakage of sensitive data… how can they prove to us that they will seriously protect our personal information collected from SIM Registration?” it said.

scroll to top