MANILA, Philippines — Amid ongoing investigations, there is no “concrete evidence” yet that more than 1.2 million records from several government agencies were leaked, according to the country’s privacy regulator.
But the National Privacy Commission (NPC) agreed with the findings of a cybersecurity researcher who first reported the possible breach since government data had been left unprotected.
“At this point, we still have no concrete evidence that indeed 1.2 million records [were] leaked. What we know now is that it was left exposed,” lawyer Michael Santos, chief of NPC’s complaints and investigation division, said in an interview on ANC on Friday.
In a statement, NPC Commissioner John Henry Naga, however, assured that there were no breaches in the systems of the National Bureau of Investigation, Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR).
The NBI, CSC, and BIR conducted vulnerability tests and found no breaches in their systems.
The Philippine National Police, however, requested more time to validate and review its systems for possible security compromise.
Santos said the NPC would conduct an “onsite investigation” on the concerned data processing system of PNP on Monday.
Cybersecurity researcher Jeremiah Fowler, who reported the data breach, was also summoned by the commission on Friday to help in its investigation.
“We expect first to be let into the data processing centers of the PNP to inspect their systems, to check their logs and to match data if indeed they are the ones collecting that information,” Santos said.
“If there’s a match, we could possibly identify if indeed it was the processing systems of the PNP that were left exposed. And in the process we will verify if the exposed database was indeed leaked,” he added.
Santos said that after an initial look at the documents in the exposed database, the NPC is looking at the possibility that the breach “could be related to [the PNP’s system handling] job applications or job recruitment.”
“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks,” Naga said in a statement.
The National Computer Emergency Response Team, a division under the Cybersecurity Bureau of the Department of Information and Communications Technology, is also investigating the breach.