There may be less than 24 hours before data which may have been obtained by hackers in the PhilHealth (Philippine Health Insurance Corporation) Medusa ransomware attack will be released to the public.
According to the countdown timer on the Medusa blog on the dark Web, the files they supposedly exfiltrated from PhilHealth’s systems will be released on October 3 Philippine time if the $300,000-ransom is not paid in cryptocurrency.
The Medusa ransomware group has allegedly published data of other breached organizations previously, and PhilHealth data is the next to be released on the countdown timeline on their blog.
But in a press conference on Monday, Oct. 2, PhilHealth officials stood pat on the agency’s position not to give in to the ransom demand of the hackers.
“No membership data was lost, so it’s clearly a bluff. Let’s just wait for their bluff,” said PhilHealth president and CEO Emmanuel Ledesma Jr.
“It’s a complicated issue, but the membership data was completely untouched,” he said.
When asked if PhilHealth prepared for cyberattacks in the wake of the 2016 “Comeleak” data breach, Ledesma said, “You know ma’am, PhilHealth is actually fully prepared. Even without us asking, the DICT (Department of Information and Communications Technology), the NBI (National Bureau of Investigation) – all of them called and they’re offering their services.”
“We can do it on our own. I’m confident we can do it. But at the same time of course, we’re trying to, since the help is being offered and we know that DICT is more technical, we are using all the help we can so that in resolving this issue. We are doing our very best, no, and using all options available,” he added.
On early morning Sunday, Oct. 1, however, members of Anonymous Philippines republished a video from the Medusa Media Team which displayed what appeared to be unredacted government and PhilHealth IDs, ID profile pictures, scans of paper documents, screenshots of electronic spreadsheet files, and others.
It is unclear if the data shown were that of public PhilHealth beneficiary members or that of PhilHealth employees.
The directory structure and filenames of the data on the released video appeared to be identical to the directory tree and file structure of the allegedly exfiltrated PhilHealth data displayed on the Medusa blog site, according to a security researcher.
Of interest were filenames and directories such as “De La Salle University”, “Ateneo de Manila University”, “PWD/person with disabilities”, “senior citizens”, and “NHTS-PR” (National Household Targeting System for Poverty Reduction).
At the time of publication, none of the contents of the files are viewable by the public on the Medusa blog, only the directory tree structures and file names, according to the researcher.
The alleged leak, if indeed real, can expose victims to physical danger, financial crimes, identity theft, fraud, and other harms due to the potential presence of government IDs and other PII (personally identifiable information) which contain full names, addresses, and dates of birth.
With the latest ransomware attack, ICT advocates are now calling for the Philippine government to give cybersecurity the proper attention and focus it deserves and spend more on cybersecurity infrastructure, professionals, and training for staff to prevent similar incidents in the future.
The author is a member of Democracy.Net.PH, an ICT rights, governance, development, policy, and security advocacy group