PSA probes data breach: What’s affected, what’s not
The Philippine Statistics Authority (PSA) on Wednesday said it had investigated a reported data breach of its systems for the national ID project and civil registration, assuring the public that both were not compromised.
The PSA, however, said its Community-Based Monitoring System (CBMS) had been affected and that it was still assessing the kind of personal data that may have been exposed.
The agency uses CBMS to generate data at the local level to form a basis for targeting households in the planning, budgeting and implementation of the government’s social programs.
“The PSA strongly condemns this activity and we will be working with all law enforcement agencies to apprehend the perpetrators,” the agency said in a statement.
A breach notification was sent to the National Privacy Commission (NPC) as early as 6 p.m. on Tuesday, setting off initial assessments, the NPC said on Wednesday.
The investigation was launched in response to social media posts last week about a supposed data breach involving a PSA-run system.
“The agency is taking additional preventive and containment measures to ensure the security and integrity of all systems and databases that it manages, including shutting down and isolating the system known to have been affected,” the PSA said.
‘Raise awareness’
“The PSA warns the public that social media posts with the alleged sample data include links that contain malware that may be used by cybercriminals and bad actors to perpetuate other illicit acts. Therefore, the public is strongly advised not to click on such links,” it added.
The online group Deep Web Konek said it had monitored activities on social media claiming connection to the PSA breach. It said a Facebook user had posted a sample of the leaked data but that its apparent aim was not to expose sensitive information but just raise awareness on how vulnerable the government statistics agency has become to cyberattacks.
In a post on X (formerly Twitter), data analyst Dominic Ligot said the leaked data dump had files with 42 billion rows containing identification cards and other sensitive information. A row refers to a single group of related data within a table.
The reported PSA leak came on the heels of a data breach at the Philippine Health Insurance Corp. (PhilHealth), where the NPC last week reported the theft and leakage of a “staggering” 730 gigabytes (GB) worth of data.
Guidelines on fake IDs
The NPC on Wednesday issued guidelines concerning the potential use of fake PhilHealth IDs cards, warning banks, hospitals and telco companies that these may be used in transactions.
“The recommended action for these entities would be to further verify the authenticity of the presented PhilHealth ID. This can be done by cross-checking the information on the ID with the official records or contacting the relevant authorities to confirm its validity,” said Roren Marie M. Chin, chief at the NPC’s Public Information and Assistance Division.
“If there are concerns or suspicions about the authenticity of the ID, it is advisable to follow established internal protocols for handling such cases, which may include reporting the incident to their security teams or management,” she added.
Switching to manual
The massive data breach at PhilHealth has also alarmed Dr. Harish Pillai, CEO of Metro Pacific Health Group, the health-care arm of Manuel V. Pangilinan-led Metro Pacific Investments Corp.
The group is considered the country’s largest operator of hospitals, with 21 health-care facilities that include Makati Medical Center, Asian Hospital and Medical Center and Davao Doctors Hospital.
In a media briefing, Pillai said the group had yet to experience disruptions in the operations of its hospitals that may be traced to the breach, but said it was considering switching to manual processes under directives from PhilHealth.
“We work closely with PhilHealth to address the data privacy requirements of the country and of all our stakeholders,” Pillai said.
