DICT exec: ‘Unsecured’ PNP recruitment portal ‘not professionally developed’
MANILA, Philippines —Secretary Ivan John Uy of the Department of Information and Communications Technology (DICT) said that the recruitment portal that exposed over a million records of police applicants was “not professionally developed.”
Uy reaffirmed that no personal records were stolen in the recent hacking incident; only information from the Philippine National Police’s (PNP) recruitment portal was compromised.
“Because it’s a recruitment portal, the public uploaded their NBI clearance, their birth certificates, their driver’s license, whatever documents that they have to submit to the recruitment portal,” the DICT official said over ANC when asked about the leaked records of more than 1.2 million PNP employees and applicants.
The DICT chief also clarified that the incident was not a breach of multiple government agencies but of a singular employment portal.
According to Uy, the documents were exposed due to an unsecured site rather than a hacking attempt. While the portal was created for those looking to work with the PNP, Uy did not specify which agency created it.
A DICT investigation found that no information and communication technology or cybersecurity professionals were consulted by the government agency responsible for the now-defunct recruitment portal for police applicants.
“During our investigation, we discovered that this site was actually not professionally developed. In fact, the IT department of that government agency was not even called in order to help design and develop the system,” Uy said.
Calling it a “mom-and-pop operation,” Uy explained that only one agency site was unprotected.
Uy did not say if he was still referring to the PNP.
“They just adopted and used it without even consulting the DICT on the best practices and the international standards that should be adopted in terms of cybersecurity, data protection, and so on. So without going through all that regulatory protection mechanism, it was deployed and that’s the exposure that happened,” he narrated.
The PNP job applicants’ sensitive personal files were exposed in an unprotected database, as reported by cybersecurity researcher Jeremiah Fowler on vpnMentor on April 18. With over 1.2 million files up for grabs, individuals with internet access were apparently able to access them without a password. DICT chief Uy shut down the recruitment site, and the National Privacy Commission (NPC) is investigating.
“The NPC has already initiated an investigation – if there were any protocols that were violated or any rules – so that the people who caused this could properly be made accountable,” he said.
Uy asked government agencies to seek assistance from DICT in developing their cyberspace infrastructures. He reminded them that DICT was created to help them adopt world standards in ICT systems. He also urged them to stop seeking help from individuals who lack the necessary credentials or certifications.