In a post on vpnMentor, cybersecurity researcher Jeremy Fowler claimed that there might be a data breach after discovering the “existence of a non-password protected database containing over 1.2 million records” or 817.54 GB worth of data of government information.
The researcher also noted that the files he found looked like “employee or applicant records.” He included screenshots of the identification records of people who are connected to the Philippines’ law enforcement agencies. At the end of his post, Fowler said the data may have been exposed for six weeks.
After learning about the alleged data leak, the National Privacy Commission convened relevant government agencies including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR).
NPC directs telcos to fix data privacy concerns on SIM registration
NPC says global syndicate behind scam text surge
In a statement released right after the closed-door meeting, the privacy watchdog quoted NBI, CSC, and BIR confirming that no security incident occurred. The said agencies have already conducted their internal investigations a day after the report was posted online.
“However, the Philippine National Police requested time to validate and review its systems for possible security compromise considering that the Police were highlighted in the report alleging the data leak,” the NPC said in a statement.
Fowler further alleged in his post that he saw what appeared to be “internal directives addressing law enforcement officers, which may or may not be confidential.”
The NPC has ordered the PNP “to conduct an onsite investigation on the concerned data processing system of PNP” on April 24 headed by the Commission’s Complaints and Investigation Division.
The NPC also invited Fowler to meet with the Commission on April 21.
According to his bio description on Cybernews, Fowler is a security researcher, keynote speaker, and co-founder of the cybersecurity consultancy Security Discovery.
Privacy Commissioner Atty. John Henry Naga called on government agencies to remain vigilant in protecting personal data and to strictly comply with the Data Privacy Act (DPA) of 2012, including the mandatory breach notification requirement under various NPC Circulars.
The DPA mandates private and public organizations to notify the NPC within 72 hours upon confirmation of a breach.