By Alec Go
The alleged data breach that leaked applicant and employee records from some Philippine government offices did not take place at the Bureau of Internal Revenue (BIR) and the Civil Service Commission (CSC), according to the two offices.
This followed reports on April 20 that a breach happened in three government offices.
“The BIR has been exerting efforts to protect and maintain the security of its data. The Bureau has initiated response protocols to keep its database protected,” BIR Commissioner Romeo Lumagui Jr. said.
“We are now in close coordination with the authorities and other government agencies to assist in mitigating the reported breach,” he added.
In a separate statement, the CSC said it has been informed by the Department of Information and Communications Technology’s (DICT) National Computer Emergency Response Team “that the CSC system and database were not breached or attacked” as of 10:00 a.m.
“The CSC recognizes that the institution must always be in a defensive position to protect itself from cyber threats by ensuring that our information technology systems are secure and the necessary infrastructure is in place to protect sensitive personal data from cyber attacks, such as identity theft and phishing scams,” it stated.
“Rest assured that the CSC takes this matter seriously and with utmost urgency, and will cooperate with the DICT and other relevant government agencies to investigate this report,” it added.
Alleged leak
In a report by cybersecurity researcher Jeremiah Fowler of vpnMentor, the leaked records were related to individuals who applied or are employed in the law enforcement sector.
The database had a total size of 817.54 gigabytes with 1,279,437 records exposed.
These include highly sensitive information such as scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, tax filing records, and criminal histories, among others.
The government offices mentioned were the Philippine National Police (PNP), National Bureau of Investigation (NBI), BIR, Special Action Force Operations Management Division, and the CSC.
“The database also contained character recommendations, in the form of letters from courts and municipal mayors offices certifying that those individuals applying to work in law enforcement possessed a good moral character and had no prior criminal records,” it noted.
Gov’t discussion
The National Privacy Commission (NSC) said a meeting with the PNP, BIR, and other allegedly affected agencies were scheduled at 1:00 p.m. on April 20.
The NPC said the PNP has been required to explain the incident further.
“We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect. Do not collect if you can’t protect,” NSC Commissioner John Henry Naga said.
“The NPC takes this matter very seriously, and we are working closely with all concerned agencies to investigate this issue thoroughly,” he added. – cf
