Over 1 million records from NBI, PNP, other agencies leaked in huge data breach

[JJReyes]

8 hours ago, BrettGC said:

This is not conjecture on my part; take it from someone that lived this daily, exploiting foreign intelligence targets' so-called "secure" information, targeting at both the individual and organizational levels while some of my colleagues were countering the same.   

Governments engage in defense and offense information gathering targeting both hostile and friendly nations.  That's the reason I joked that the Americans and Chinese already have the Philippine information that was hacked.  I found it funny when the Germans complained that Americans were listening to all conversations by Chancellor Angela Merkel whenever she used her mobile phone.  The Americans promised to stop doing it.   Probably assigned the work to a contractor in another country.  

[hk blues]

I read today that the BIR chief has stated the breach didn't come from the BIR but he didn't deny there had been a breach.  How he knows it didn't come from his group given the investigation has not been completed yet I don't know - I suppose he asked around! 

[Mike J]

In reading the article it says the database was not secured.  The security report goes on to say there is no evidence of breach or hack.  The unsecured database was found by a Cybersecurity Researcher (white hat hacker).  So it is possible it was not leaked prior to the discovery and report.

<snip>

Fowler reported that these government documents were stored in an unsecured, non-password-protected database “readily accessible to individuals with an internet connection” and left vulnerable to potential cyberattacks or encryption via ransomware. While Fowler recorded no current indication of such attacks, he emphasized that law enforcement officers are endangered when their personal documents are left in the open.

<end snip>

Found the actual report here if anyone is interested.

https://www.vpnmentor.com/news/report-philippine-police-breach/

Cybersecurity Researcher Jeremiah Fowler has recently reported to vpnMentor about the existence of a non-password protected database containing over 1.2 million records.

Upon further research, I identified these records to be related to individuals who were employed or applied to work in law enforcement in the Republic of the Philippines, and could be broadly categorized into:

Documents relating to individuals who either applied for law enforcement roles (“Applicant Records”) or had been employed to work in law enforcement roles (“Employee Records”) in the Republic of the Philippines; and
Ancillary documents relating to the affairs and administration of law enforcement agencies in the Philippines.
These Applicant Records and Employee Records contained highly sensitive personally identifiable information (PII). I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more.

1. Employee and Applicant Identification Records

The database appeared to contain a selection of records pertaining to the academic and/or personal history of each Applicant or Employee. Samples of records include copies of fingerprint scans, signatures, and required documents from multiple Philippine state agencies including the Philippine National Police, National Bureau of Investigation (NBI), Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission, amongst others. The signature on file I can only assume is for verification purposes later if it was ever needed to prove it was their signature.

The database also contained character recommendations, in the form of letters from courts and municipal mayors offices certifying that those individuals applying to work in law enforcement possessed a good moral character and had no prior criminal records. Nearly all countries require some form of background check to work in law enforcement. These documents are what is required in the Philippines. There was also a selection of documents containing Tax Identification Numbers (“TIN”) - a nine-digit number given to individual and corporate taxpayers by the tax authorities in the Philippines for identification and record-keeping purposes.

2. Additional Records

Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential. As an example these would be orders from top leadership of how to enforce what laws and what gets priority or additional training that is needed etc. As an ethical researcher, I cannot further confirm or verify the accuracy or authenticity of these documents contained within this database. As such, I cannot guarantee that the contents of the documents are accurate or reliable. Furthermore, we are cognisant that accessing, downloading, or using these documents without proper authorisation is prohibited and illegal, hence I have not conducted additional verification or due diligence on these documents.

What the database contained

Total size: 817.54 GB
Total number of records exposed: 1,279,437
Employee and Applicant Identification Records: Scanned and photographed images of original documents that included: birth certificates, educational record transcripts, diplomas, tax filing records, passport and police identification cards. Included in the files were combined records certifying that there are no pending cases or criminal history for the officer. These included Republic of the Philippines justice department’s certification, local or regional court records, and the National Bureau of Investigation (NBI) identification and clearance documents.
Any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous. Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities. It would be easy for criminals to apply for loans, credit, or other financial crimes using the identity of these individuals and supporting documents. The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes.

As security researchers, our primary objective is to ensure the protection of data and to help secure any exposed data. It is crucial to emphasize that the information in question was readily accessible to individuals with an internet connection. I am confident that my responsible disclosure has served to safeguard the affected individuals, the database, and network systems of the Republic of the Philippines. Furthermore, there existed a potential risk of a cyber-attack or the encryption of the database via ransomware, although I did not observe any such indications during my investigation. My reporting was strictly limited to outlining the actual risks that could have arisen from such a data breach.

As a professional researcher, I adhere to ethical practices and conduct my investigations with utmost integrity. During my assessment, I view only a restricted sample of records to authenticate my findings, without extracting any data. I am fully cognizant of the national security implications of data breaches and aim to protect the personally identifiable information (PII) of law enforcement personnel in the Philippines.

As researchers, we maintain objectivity and do not insinuate any wrongdoing by law enforcement agencies in the Philippines or suggest that any officers were at risk due to the leaked records. I have attempted to initiate dialogue with relevant authorities but have not received an official response, making it challenging to pinpoint any parties potentially responsible for the data breach. I sent over 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken. The Philippine National Computer Emergency Response Team responded to several of my messages thanking me for reporting and indicated they were trying to identify who was responsible for the data exposure.

Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it. I can validate that the data was exposed for a minimum of 6 weeks, during which I did my best to have it secured. To fully understand the extent and impact of the breach, a comprehensive forensic audit is necessary.

[Possum]

On 4/22/2023 at 6:29 AM, Mike J said:

In reading the article it says the database was not secured.  The security report goes on to say there is no evidence of breach or hack.  The unsecured database was found by a Cybersecurity Researcher (white hat hacker).  So it is possible it was not leaked prior to the discovery and report.

<snip>

Fowler reported that these government documents were stored in an unsecured, non-password-protected database “readily accessible to individuals with an internet connection” and left vulnerable to potential cyberattacks or encryption via ransomware. While Fowler recorded no current indication of such attacks, he emphasized that law enforcement officers are endangered when their personal documents are left in the open.

It seems it wouldn't need to be hacked if it was unsecured and not password protected.