The Department of Communications and Information Technology (DICT) has concluded its investigation into the recent data breach involving 1.2 million records of law enforcement agencies, stating that no hacking was involved, but rather a data leak.
In an interview, DICT Secretary Ivan Uy said that a cybersecurity researcher discovered an online recruitment portal of the Philippine National Police (PNP) that had no security measures in place and was accessible to the public.
"It was not a hack. It was a data leak. A cybersecurity researcher happened to find a site where there was no security. It was just open to the public." he said.
The data leak originated from the PNP's online recruitment portal, as per the DICT investigation.
It should be noted that a cybersecurity firm, VPNMentor, had previously reported a "massive data breach" of employee and citizen records from the PNP, National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Civil Service Commission (CSC).
The compromised database allegedly contained highly sensitive personal information, such as passports, birth and marriage certificates, driver's licenses, academic transcripts, and security clearance documents.
Uy clarified that the data leak did not occur in any other agency apart from the PNP.
"PNP lang po. Applicants na maging police" he added.
Furthermore, Uy revealed that the site was not professionally developed and that the project was a "mom-and-pop operation" within the government agency.
"Because it is a government agency, they just adopted and used it without even consulting the DICT on what are the best practices and international standards in terms of cybersecurity and data protection," Uy added.
He also mentioned that the site has been shut down since the discovery of the data leak.
The National Privacy Commission has also initiated an investigation to determine if any protocols, laws, or guidelines were violated in this incident.
