Despite the denial of a data breach by some law enforcement agencies, the Department of Information and Communications Technology (DICT) said on Thursday, April 20, that copies of leaked personal data were stored in an Azure cloud site.
In a statement, the DICT said the Philippine National Computer Emergency Response Team (NCERT) under its Cybersecurity Bureau, has “doubled down” on its investigation on the matter after receiving information of the alleged breach from a security researcher last Feb. 22.
The tipster sent links to an Azure blob storage containing sample photos of IDs from documents including those from Philippine National Police and National Bureau of Investigation (NBI) clearances.
“The security researcher did not disclose to NCERT the source of the data and what information asset was compromised,” the DICT said.
The department noted, however, that the information sent by the security researcher was identical to what was reported by Jeremiah Fowler of VPNmentor and which has since been credited by recent news reports.
The NCERT provided an incident report regarding the alleged breach to both the PNP and the NBI between March 3 to 23, according to the DICT.
“The DICT considers the incident as a grave concern that threatened the confidentiality, integrity, and privacy of user data,” it said. “The Department assures the public that investigation on the matter is underway.”
During a meeting called by the National Privacy Commission (NPC) also on Thursday, April 20, the concerned government agencies – the NBI, Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR) – insisted that no breaches occurred on their systems.
“[However], the PNP requested for time to validate and review its systems for possible security compromise considering that the police was highlight in the report alleging the data leak,” the NPC said in a statement.
To investigate the matter, the NPC said it issued an order to conduct an onsite investigation on the concerned data processing system of PNP on Monday, April 24.
“Likewise, we also ordered Mr. Jeremiah Fowler, the cybersecurity researcher who published an article regarding this matter, to appear before this Commission on 21 April 2023 to aid this Commission in its investigation,” it added.
The privacy body said the “recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks.”
It added: “Even as our probe is underway, the NPC strongly demands of these government agencies, such as the PNP, to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various NPC Circulars.”