For weeks, PNP staff database was exposed – cyber expert
MANILA, Philippines — An unprotected database containing more than a million identity documents and private records of Philippine National Police personnel and applicants was exposed online for at least six weeks before access to the data was restricted in March, according to a report by a cybersecurity tracker.
The PNP, however, has yet to confirm whether a data breach did occur, while its Anti-Cybercrime Group (ACG) has launched an investigation.
In a report published on the vpnMentor website on Tuesday, cybersecurity researcher Jeremiah Fowler reported the exposure of a nonpassword-protected database containing over 1.2 million records, mostly of personal documents of police officers and other employees, as well as of applicants.
The 817.54-gigabyte database contained scanned and photographed copies of original documents, including birth certificates, educational record transcripts, diplomas, tax filing records, passport, and police identification cards, according to Fowler’s report.
There were also clearances issued by the PNP, National Bureau of Investigation, Bureau of Internal Revenue, and Civil Service Commission, among other documents with fingerprint scans and signatures of the owners, the report showed.
‘Internal police directives’
The database also appeared to contain documents relating to internal directives addressing law enforcement officers, which Fowler noted, “may or may not be confidential.”
In an email exchange with the Inquirer on Wednesday, Fowler said he discovered the unprotected PNP database in mid-January and promptly informed the authorities of its exposure.
But it wasn’t until the second week of March when action was taken and public access to the database was removed, he said.
By then, the database had been exposed for at least six weeks, Fowler noted, although he said it was unclear exactly how long the database had been accessible or if anyone else might have gained access to it.
Asked for comment, the PNP said it was already made aware of the exposed database. Brig. Gen. Sidney Hernia, the director of ACG, however, said “we cannot categorically say at this time that there was a leak” of the data of its personnel and applicants.
According to Hernia, the ACG is still conducting “vulnerability assessment and penetration testing” on PNP’s systems.
Fowler shared with the Inquirer screenshots of several redacted documents that he said he was able to access from the exposed database, warning that cybercriminals could have used them for unscrupulous activities.
“As you can see based on these… we can confidently say there most certainly was a breach and all of the records were related to individuals in law enforcement. These should have not been exposed or accessible without password protection,” he said.
Fowler said that upon discovering the database he sent over 15 “responsible disclosure notices over several weeks” to multiple Philippine government agencies.
But he said he received a reply from the NBI only on Feb. 26, acknowledging his report of the possible breach, and another reply the next day from the National Computer Emergency Response Team (NCERT), a division under the Cybersecurity Bureau of the Department of Information and Communications Technology, saying it was looking into the matter.
Fowler said he followed up multiple times with the NCERT for updates until public access to the database was restricted around two weeks later, either March 10 or March 11.
While there existed a potential risk of a cyberattack or the encryption of the database via ransomware — a type of malicious software designed to block access to a computer system until a sum of money is paid — he did not observe signs of this in his investigation.
“Any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous. Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities,” Fowler said in the report.
“It would be easy for criminals to apply for loans, credit, or other financial crimes using the identity of these individuals and supporting documents,” he added.
Fowler is a cybersecurity researcher at vpnMentor and cofounder of Security Discovery, a cybersecurity provider with technical headquarters listed in Hamburg, Germany.
vpnMentor is a website that reviews VPN providers and regularly publishes cybersecurity reports. Its Research Lab works with data privacy agencies and computer emergency response teams to identify cyber threats and help protect businesses’ and organizations’ user data. In 2019, it established its pro bono cybersecurity analysis team.
On its website, it said it has published almost a hundred cybersecurity reports, discovered at least 70 company breaches, and found billions of cyber leaks.
Fowler told the Inquirer that he appreciated the “very professional” handling of the incident by local authorities, but he lamented the slow response.
“I told them that I understand that in any government, there is bureaucracy and time delays. But these are the most sensitive records publicly exposed,” he said.