PNP, NBI, BIR and other agencies’ records leaked in massive data breach

Over a million records belonging to the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal revenue (BIR) and other government agencies have been leaked in a massive data breach.

The breach, which was revealed in a report from cybersecurity company VPNMentor on Tuesday, exposed 1,279,437 records or 817.54 gigabytes of both applicant and employee records under multiple government agencies. These include the NBI, BIR, PNP, as well as the latter’s Special Action Force (SAF).

The report warns that the data breach puts the personal information of millions of Filipinos at risk.

Included in the exposed records are highly sensitive data such as birth certificates, passport copies, fingerprint scans, taxpayer identification numbers (TIN), tax records and academic transcripts.

In addition, the internal directives addressing law enforcement officers in the PNP and NBI were also supposedly included in the data breach.

“These would be orders from the top leadership of how to enforce what laws and what gets priority or additional training that is needed etc,” explained report author Jeremiah Fowler. ”

“I cannot further confirm or verify the accuracy or authenticity of these documents contained within this database,” he added. “As such, I cannot guarantee that the contents of the documents are accurate or reliable.”

According to Fowler’s report, the exposed documents were stored in an unsecured database without password protection, making them “readily accessible to individuals with an internet connection” and vulnerable to cyberattack. (Read: Twitter denies data breach involved in leak of 200 million user emails)

“The availability of government records in an unsecured database raises concerns about potential national security issues,” Fowler warned. “The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes.”

The report also notes that the database was exposed for at least six weeks. Fowler, however, advises that a full forensic audit is still needed to fully understand the extent of the breach.

In a message relayed by PNP Public Information Office Chief Rederico Maranan to Inquirer.net, Anti-Cybercrime Group Director Police Brig. Gen. Sidney Hernia stated that the PNP’s cybercrime unit is still investigating the extent of the data breach.

“We cannot categorically say at this time that there was leaked applicants’ data,” he said.

At the same time, the Philippine National Computer Emergency Response Team thanks Fowler for his report and stated that it was already trying to identify the parties responsible for the breach.

If you like reading our content, why not show your appreciation by treating us to a cup of coffee? (or two, if you’re feeling generous)