MANILA, Philippines — The recent hacking of Philippine Health Insurance Corp. (PhilHealth) computers affected the accounts of “millions” of members, making it the largest breach of government data since the Commission on Elections’ (Comelec) “Comeleak” incident in 2016.
On the sidelines of the Cybersecurity Month 2023 event on Monday, Information Undersecretary Jeffrey Dy confirmed that a “significant” amount of PhilHealth members’ private information was stolen during the Medusa ransomware attack.
“We gave a statement that so far we found thousands of [affected accounts]. But it now seems the number is larger,” said Dy, who heads the Department of Information and Communications Technology’s (DICT) cybersecurity division.
According to him, they were roughly 90 percent done analyzing the stolen data, which the National Privacy Commission said involved a “staggering” 730 gigabytes of information, or roughly equivalent to over one million PhilHealth membership registration forms.
Dy warned the public against accessing the leaked files since they found malware attachments during their ongoing analysis. “We’ve seen a lot of those files with questionable extensions that could be used as entry points [by fraudsters],” he said.
Public awareness
The DICT, together with Digital Pilipinas, launched the monthlong celebration to raise public awareness on cybersecurity. Growing attacks have become a headache not only for businesses but also for a number of national government agencies.
In April, over one million records from the Philippine National Police, National Bureau of Investigation, Bureau of Internal Revenue, and Special Action Force were leaked in a separate data breach.
But the PhilHealth data breach, based on the latest estimates, could be the biggest since the Comelec hacking incident that affected the personal information of about 55 million registered voters.
Information Secretary Ivan Uy told reporters that they could not properly assess the integrity of all national government agencies because of the DICT’s limited resources and shrinking cybersecurity budget, which he said had been downsized from P1 billion in 2022 to around P300 million for next year.
“While the threats [of cyberattacks] keep on growing, our cybersecurity budget is getting smaller and smaller,” he pointed out, adding that despite their limited resources, they were also building up their cybersecurity personnel.
Confidential fund
House Deputy Minority Leader and ACT Teachers Rep. France Castro, however, thumbed down the DICT’s request for a P300-million confidential fund for 2024, saying what it needed was “more auditable funds to hire more personnel and buy more equipment to keep Philippine cyberspace safe.”
In a statement on Monday, Castro pointed to the proliferation of scammers and hackers, “a glaring example of which was the PhilHealth cyberattack.”
“If the DICT is saying that it is undermanned to check or safeguard Philippine cyberspace, then [it] should hire more personnel rather than ask for the untransparent confidential fund,” she said. “The DICT should not be given confidential funds anymore. It needs funds for personnel and equipment to protect Philippine cyberspace, and not to conduct surveillance.”
Castro noted that the agency was given a confidential fund of P400 million in 2019 and P800 million the following year.
She cited Bayan Muna chair Neri Colmenares’ earlier statement pointing to reports that the DICT disbursed P300 million of its 2019 confidential funds as cash advances, “even without the approval of the national treasury through a notice of cash allocation.”