PSA exec says hacked financial info from system ‘not extensive’
MANILA, Philippines — An official of the Philippine Statistics Authority (PSA) said Thursday that the financial data hacked from its system is “not extensive.”
PSA Data Protection Officer Eliezer Ambatali said the leaked financial information of people from poor communities came from the Community-Based Monitoring System (CBMS) and contains fewer details than other surveys of the agency.
The CBMS was created via Republic Act No. 11315, which mandated government agencies to collect, process, and validate disaggregated data that can be used to plan programs for poverty-stricken areas. Basically, the CBMS contains data on households targeted by the government for poverty alleviation programs.
READ: ‘Deeply alarming’: PSA data breach calls for full probe – senator
Article continues after this advertisementPSA is the lead agency in implementing R.A. No. 11315, otherwise known as the CBMS Act.
Article continues after this advertisement“There are demographic information in the CBMS, there are educational information, we have also collected financial characteristics not necessarily connected to an amount, and some others. For the demographic information, certainly these are confidential,” Ambatali said in an interview with ABS-CBN News Channel’s Headstart.
“For the CBMS, it’s not as extensive, the financial information, that’s not extensive as the other surveys of the PSA. We collect non-income related characteristics relating to (the) financial status of our respondents,” he added.
PSA announced on Wednesday that it suffered a data leak last October 7, following claims of an alleged hacker on social media that the agency’s system was hacked. PSA said an investigation revealed that the data leak only affected a limited portion of its database – particularly the CBMS.
READ: PSA-7 assures: Hacked FB account being addressed
As of Thursday morning, the CBMS webpage within PSA’s website remain inaccessible as the administrator took down certain affected sectors.
Ambatali, however, assured the public that information stored with the National Identification System and PSA’s civil registry services were not affected by the alleged hacking.
“We are confident that the PhilSys (Philippine Identification System), or the National ID as well as the civil registration databases are not affected by this attack. These databases and all other databases that (are) connected with the services of the PSA (are) not connected with the PhilSys, and the civil registration services,” he said.
“In fact we have already monitored even the non-affected (sectors), we have already monitored it, we have scanned it for some malicious activities, and we are employing right now additional security measures on all our systems,” he added.
READ: PSA affiliated page gets hacked, posts random videos and photos
Ambatali also said that after monitoring areas not affected by the attack, PSA implemented measures to ensure that the incident remains isolated.
“We have firewalls that the we employ in our systems, but I think there are, the hackers have seen some vulnerabilities and we have determined that for now, and the IT team of the PSA has already isolated this affected database, this is the network-attached storage system particularly for the CBMS,” he said.
“So we have isolated that and we have turned down temporarily the system that is catering CBMS,” he added.
Days before PSA announced that its system experienced a data leak, the Philippine Health Insurance Corporation (PhilHealth) had a similar cyberattack.
READ: DICT: Hacked PhilHealth data spreading on app contains malware
On October 2, PhilHealth said it was affected by data leak which the National Privacy Commission (NPC) described as “staggering.”
READ: Leaked PhilHealth data ‘staggering,’ says NPC
Initial assessments indicated that more than 730 gigabytes of data from PhilHealth’s system have been compromised, including personal data of several members of the state insurer.
PhilHealth later blamed the hacking on government procurement rules, claiming that the law supposedly barred them from beefing up their cyber defense capabilities.