PNP starts probe on ‘data leak’

The personal data of police officers and applicants, including this screenshot of a redacted police clearance certificate, becameaccessible to the public forweeks, says Jeremiah Fowler of cybersecurity tracker vpnMentor.

SENSITIVE RECORDS The personal data of police officers and applicants, including this screenshot of a redacted police clearance certificate, became accessible to the public for weeks, says Jeremiah
Fowler of cybersecurity tracker vpnMentor. —CONTRIBUTED PHOTO

The Anti-Cybercrime Group of the Philippine National Police is fast-tracking its internal investigation into the possibility that some police personnel might have violated Republic Act No. 10173, or the Data Privacy Act of 2012, for the recently reported leak involving the data of more than a million applicants and employees of the police agency.

In a statement on Thursday, the PNP said its Directorate for Information and Communications Technology Management (DICTM) began an assessment of the systems to determine possible violations or lapses in protocols and procedures.

“The PNP reiterates the statement of DICT (Department of Information and Communications Technology) Secretary John Uy that there was no hacking incident, intrusion or breach on the PNP database and that it is actively coordinating with the said office for a parallel investigation,” it said.

As of Thursday afternoon, the PNP Comprehensive Online Recruitment Encrypting System—the portal where police applicants fill out forms and upload relevant documents—has been inaccessible and is “undergoing maintenance.”

“We assure the public that we are closely collaborating with [the] DICT to ensure the security, safety, and privacy of information in the custody of the PNP to strictly comply with the provisions of the Data Privacy Act,” the PNP said.

Uy said the PNP had committed “serious lapses” in the leakage of more than 1.2 million employee and application records of the PNP.

The leaked data included clearances issued by the PNP, the National Bureau of Investigation, the Bureau of Internal Revenue and the Civil Service Commission.

But Uy, at a press briefing on Tuesday, denied there was a “massive” data breach or hacking.

“So it’s not a hack; it’s not a breach. There was no intrusion into any government system,” he said, adding that there was a data leak due to a vulnerability in the PNP’s system.

No data was also stolen or extracted from any government or secured government database.

In a report published on April 18 on the vpnMentor website, cybersecurity researcher Jeremiah Fowler said an 817.54-gigabyte database not protected by a password, had been accessible to the public for weeks from January to March, exposing scanned and photographed images of original documents that included birth certificates, educational record transcripts, diplomas, tax filing records, passport and police identification cards.

Read more...