MANILA – The Department of Science and Technology (DOST) confirmed on Friday that it was among the three government agencies that suffered cybersecurity breaches in August.
The three breaches preceded the Sept. 22 ransomware attack on state-owned Philippine Health Insurance Corp. (PhilHealth), which leaked 734 gigabytes of its members’ personal data, according to the National Privacy Commission.
The PhilHealth breach is believed to be the largest leakage of private data in government care since the Commission on Elections’ “Comeleak” incident in 2016.
In DOST’s case, the leakage involved the email addresses of about 1,000 experts and clients who were registered in the agency’s OneExpert portal, which was meant to help the public connect with experts in given fields.
Rowen Gelonga, DOST Region 6 director, said they first learned of the leak on Aug. 31 when the Philippine National Computer Emergency Response Team informed them that an administrator account was compromised and was used to access the OneExpert site.
Cloud dump of data
But while DOST was fixing other vulnerabilities, an anonymous user posted in social media on Oct. 8 a hyperlink to a cloud dump of data from the OneExpert portal, Philippine Statistics Authority (PSA) and Forensics Group of the Philippine National Police (PNP-FG).
All three agencies subsequently tried to downplay the leakages by saying that the breaches were “limited” and no “sensitive” personal data were compromised.
“Based on the investigation, the links posted by the bad actors lead to limited data taken,” said National Statistician Claire Dennis Mapa, who concurrently heads the PSA.
Unlike the PhilHealth attack, however, no “bad actor” made any demand for ransom before the data dump was made, leaving the possibility that they were “white-hat penetration tests” meant to reveal cybersecurity weaknesses.
According to Gelonga, “you don’t have to undermine (or resort) to illegal means to get the names of the experts because the portal has a mechanism for contacting the expert directly.”
Still, he said they regret that the leak even happened at all and that the DOST was already beefing up their security measures.
‘An area of concern’
“We admit that this is an area of concern,” he said. “Our system was developed way back in 2016 and we are now overhauling the system.”
The PNP-FG also claimed that no “sensitive” data were compromised.
In a press briefing in Camp Crame on Friday, Police Maj. Michael Ignacio, information technology officer of PNP-FG, said the uploaded data contained a ZIP file containing eight files, with filenames indicating they were possibly databases containing DNA information from suspects and victims of police operations.
But this was not the first time that data handled by the PNP were compromised.
In April, cybersecurity researcher Jeremiah Fowler reported the existence of a nonpassword protected database with over 1.2 million records, containing mostly records of employee and application records in the Comprehensive Online Recruitment Encryption System portal operated by the PNP Recruitment and Selection Service. (Dexter V. Cabalza, Ian Nicolas P. Cigaral, Krixia Subingsubing © Philippine Daily Inquirer)