DICT confirms hacking of disaster unit’s portal

MANILA, Philippines — The Department of Information and Communications Technology (DICT) confirmed that there was a successful data hack on its Disaster Risk Reduction and Management Division (DRRMD) portal and systems.

At a virtual press conference called last night, Renato Paraiso, ICT assistant secretary for legal affairs and spokesman, said the hack was limited to the DRRMD systems, which he stressed was not connected to the DICT central office systems.

“We confirm that there was a breach in one of the external units of the DICT, the Disaster Risk Reduction Management... the DRRMD, the disaster and emergency response unit of DICT,” Paraiso said.

“This system is outside the system of (DICT) central office,” Paraiso said.

He pointed out that the DRRMD portal was an open system because it was meant for information dissemination during emergencies.

Paraiso said the system of the DRRMD was intentionally designed to be easily accessible and had no firewalls.

Paraiso stressed the hack was isolated to that of the DRRMD.

“When it comes to the extent and the size of the data, very, very minor,” Paraiso said.

The data breach compromised data of about 10 individual employees of the unit.

“Even the government assets – the vehicles, the systems there. That’s the only data that’s stored there,” Paraiso said.

“Again, even though it’s not a privacy concern, we already reported this to the National Privacy Commission because it involved employee data,” Paraiso said.

Jeffrey Ian Dy, ICT Undersecretary for Infostructure Management, Cybersecurity and Upskilling, said the breach involved about 230MB of data.

“Affected are disposition of our Emergency Communications System. No sensitive data exposed. Please note that this is an emergency information portal for disaster coordination which is detached from the entire DICT ICT infrastructure,” Dy told The STAR.

Dy said the DICT was already going after the hacker that claimed responsibility for the hack.

“We are investigating PH1NS further,” Dy said.

The country’s largest e-wallet service provider GCash assured the National Privacy Commission (NPC) that there has been no data breach that has compromised the personal data of any of its millions of users.

The NPC said GCash has not filed any breach notification report regarding any supposed data breach on its systems.

Rainier Anthony Milanes, chief of the NPC compliance and monitoring division, said that “in the interest of transparency,” GCash had reached out to them as early as June 27 regarding the alleged data breach.

“GCash has conducted the initial assessment of their systems and found that there was no indication of a personal data breach,” Milanes told The Star. — Emmanuel Tupas