THE National Privacy Commission (NPC) has called on data collection agencies to take steps to secure the personal data they gather as it started looking into a cybersecurity firm’s allegation of a massive data breach of Philippine National Police records.

The reported breach also raised concerns about the security of other personal information that government agencies have gathered, with a lawmaker pointing out that law enforcement agencies are supposed to be among the most secure in the country. 

“We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect. Do not collect if you can’t protect,” Privacy Commissioner John Henry Naga said in a statement on Thursday, April 20.

The NPC was set to meet with concerned government agencies on Thursday as part of its probe into the reported leak of personal data. 

Over 1.2 million leaked data

Cybersecurity researcher Jeremiah Fowler of vpnmentor.com said he discovered the existence of “a non-password protected database” worth 8.175 gigabytes and containing 1,279,437 records of individuals who were employed or applied to work in various agencies in the country.

The report also noted that the exposed PII includes birth certificates, educational record transcripts, diplomas, tax filing records, passports, and police identification cards. The researcher also found copies of fingerprint scans, signatures, and other required documents.

Such documents were from agencies including the PNP, National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Civil Service Commission (CSC), among others.

On Thursday, the PNP and NBI said that they are currently conducting an internal probe and assessment to verify the allegations of a cybersecurity breach.

“We cannot categorically say at this time that there was leaked applicant data,” said Police Brigadier General Sidney Hernia, director of the PNP Anti-Cybercrime Group. 

“We are still conducting vulnerability assessment and penetration testing. We also requested complete access logs from PRSS (PNP Recruitment and Selection Service) to evaluate those logs.”

Meanwhile, NBI spokesperson Giselle Dumlao denied that there is an existing breach within their system based on their initial assessment.

“Based on the initial assessment of our IT people, so far wala kaming nakitang breach sa aming system but continuous ang aming verification at monitoring [we did not see any breach on our system but our verification and monitoring continue],” she said. 

Republicasia tried to reach out to the PNP and NBI for an update regarding their investigations; however, the publication has yet to receive a response. 

Legislators question safety of data 

Several lawmakers raised concerns regarding the data breach claims involving employees of law enforcement agencies.

House Deputy Minority Leader and ACT Teachers party-list Representative France Castro said the alleged breach calls into question the security of personal data collected by other government offices.

“It also begs the question of how safe are the data under the national ID system, the SIM registration, and even the proposed e-governance bill. If government law enforcement agencies were hacked, how can we be sure that the PSA or the telecom data from Filipinos are safe,” Castro said. 

Law enforcement agencies are supposed to be the most secure, and yet here come reports that their data have been compromised, she said. 

Albay 2nd District Representative Joey Salceda urged the National Telecommunications Commission and the NPC to ensure that the data gathered from the SIM registration is “well-guarded and secured.”

This is to guarantee that no similar incident involving personal data will arise from the registration activities.

“SIM card registries will be the largest source of personal data in the country. So, they will be targets. I call on the NTC and the NPC to make the necessary reviews and proactive measures to ensure that a similar data breach will not take place in SIM registries,” Salceda said in a separate statement.

How serious is this data breach?

Personal data leaks are rampant in the Philippines. In a 2022 poll, California-based technology firm Cisco reported that about 80 percent of companies in the Philippines have fallen victim to data breaches over the past 12 months, with two in every five firms suffering the loss of at least  P28.13 million ($500,000) to fraudsters. 

In more recent statistical data generated by Surfshark in the first quarter of 2023, the Philippines took the 17th spot in the global list of highest data breach incidents, with its total information leak amounting to 122.89 million. Its top leaked data point, similar to the majority in the list, is password data.

According to Fowler’s report, data breaches that leave personal information unprotected, especially those belonging to police and members of law enforcement or other officials, are precarious.

“Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities,” the report read. “It would be easy for criminals to apply for loans, credit, or other financial crimes using the identities of these individuals and supporting documents.” 

Fowler also said that unsecured databases could pose potential national security threats. He added that it could allow criminals to “target members of law enforcement for blackmail or other schemes.”

To solve the dilemma and fully understand the extent and impact of the leak, Fowler recommended that the agencies conduct a comprehensive forensic audit, as his report is “strictly limited to outlining the actual risks that could have arisen from such a data breach.”

He also mentioned that he found it difficult to identify potentially responsible parties for the data leakage. Fowler also disclosed that he “attempted to initiate dialogue with relevant authorities but has not received an official response.”

The cybersecurity researcher even had to file more than 15 responsible disclosure notices to multiple state agencies over the previous weeks before an action was taken.

This privacy violation claim implies that the personal information collected by other government agencies could also be vulnerable to breaches. 

The current data security issues could also serve as proof that if law enforcement officers could experience such threats, ordinary Filipinos could also encounter this risk.

Who’s supposed to protect Filipinos’ personal data? 

Republic Act 10173, also known as the Data Privacy Act of 2012, seeks to protect the personal data of individuals in the country. It took effect on September 8, 2012.

This legislation aims to establish a regulatory framework for the protection of personal data in the country by regulating the processing, storage, and dissemination of personal information. 

It requires organizations and individuals who collect and process personal data to adhere to strict data protection standards and implement appropriate security measures to prevent unauthorized access, use, and disclosure of personal data.

The Data Privacy Act of 2012 also imposes penalties for violations of its provisions, which may include the following:

• Administrative fines – The NPC may impose administrative fines of up to P5,000,000 (approximately USD 100,000) for violations of the Data Privacy Act. The amount of the fine may depend on the gravity of the offense, the number of individuals affected, and other factors.
• Imprisonment – The Data Privacy Act also provides for imprisonment of up to six years for certain offenses, such as the unauthorized processing of sensitive personal information.
• Civil liabilities – Individuals or organizations that violate the Data Privacy Act may also be liable for civil damages to the affected individuals.
• Revocation of license or permit – The NPC may also revoke the license or permit of an organization found to have violated the Data Privacy Act.

It’s important to note that the imposition of penalties may depend on the gravity of the offense, the degree of culpability, and other factors that the NPC may consider in its investigation. 

The penalties are intended to deter individuals and organizations from violating the Data Privacy Act and to ensure that personal data is protected in the Philippines.

Under the law, individuals have the right to be informed of the collection, processing, and storage of their personal data, and to access and correct such data. The law also imposes penalties for violations, including fines and imprisonment.

The NPC is the regulatory body responsible for enforcing the Data Privacy Act. It issues guidelines, conducts investigations, and imposes sanctions for violations of the law.