NPC probes 'massive leak' of gov't personnel data

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10

Metro Manila (CNN Philippines, April 20) — The National Privacy Commission (NPC) urged all government bodies to review and strengthen their data privacy and security measures, as it investigates the alleged leak of over 1.2 million employee and applicant records of various agencies.

The NPC on Thursday met with representatives from the Philippine National Police (PNP), the National Bureau of Investigation (NBI), Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR) to probe the massive "breach."

"[T]he Philippine National Police requested for time to validate and review its system for possible security compromise considering that the police was highlighted in the report alleging the data leak," NPC Commissioner John Henry Naga said after the meeting.

The commission said it ordered an onsite investigation into the PNP's data processing system on April 24.

It also asked cybersecurity researcher Jeremiah Fowler — who reported the data leak on Tuesday — to appear before the commission on April 21 to help in the probe.

The Department of Information and Communications Technology (DICT), which expressed "grave concern" over the incident, conducted its own investigation through the National Computer Emergency Response Team (NCERT).

"The NCERT started its investigation on the alleged breach after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and National Bureau of Investigation (NBI) clearances, from a security researcher last 22 February 2023. The said security researcher did not disclose to NCERT the source of the data and what information asset was compromised," the DICT said.

"Further, the information sent by the security researcher is identical to what was reported by Mr. Jeremiah Fowler and which has since been credited by recent news reports," it added.

In a report on cybersecurity research firm vpnMentor, Fowler said a database with a total size of over 800 gigabytes and containing over 1.2 million records relating to affairs of law enforcement agencies had been exposed for a minimum of six weeks. He warned that it could be used in criminal activities and carries national security risks.

The leaked documents reportedly include personal information such as names, addresses, contact details, and medical records of public officials and employees — including police officers, prosecutors, and judges.

'No breach'

In separate statements also on Thursday, the BIR, CSC, and the NBI said they found no breach within their agencies. The BIR and CSC are also coordinating with investigators.

The CSC added that NCERT itself confirmed the CSC system and database were not compromised.

For the NBI, it was "reasonably certain" that the breach did not involve any of its systems as the "nature of the compromised data…are not included in our hiring and selection process."

"While the breached records supposedly include copies of NBI Clearance IDs, these are normally released to the applicant, who may then submit or upload the same for their stated purposes," it said.

Fowler earlier warned that individuals whose data were leaked could be potential victims of identity theft, phishing attacks, and a range of other malicious activities.

Speaking to CNN Philippines' The Final Word, Fowler said only a forensic audit would determine how long the data has been exposed and who owned the data.

He added that the data could have been accessed by a third party contractor or an individual developer working from home.

CNN Philippines correspondent Paige Javier contributed to this report.