RAT found on PhilHealth data breach

Spreading like wildfire, sinister operators in the “dark web” from here and abroad have initiated attacks on the most vulnerable targets they could find in Philippine cyber space. One after the other, these malefactors in cyber space attacked the digital data we entrusted to government agencies as well as those in the private companies and even in educational institutions.

The biggest data heist victimized the Philippine Health Insurance Corp. (PhilHealth). Art Samaniego, Tech Section editor of The Manila Bulletin, first reported online the Medusa ransomware attack last Sept. 22. But it took PhilHealth several days later to admit that personal information data of 100 million or so members of this health insurance agency of the government were stolen.

Samaniego has become the country’s go-to-guy for information technology (IT) related issues. He completed short courses from the US Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) for Industrial Control Systems (ICS) on Cybersecurity Risks, Threats and Vulnerabilities among others. He patiently scans the Internet as part of cyber security where he works with government and private institutions. He was recognized last year by the Joint Congressional Committee on the Automated Election System for informing the public on the data breach of Smartmatic that handled our country’s past three automated elections.

Samaniego and his co-founder of ScamWatch Pilipinas, Jocel de Guzman – also the creator of Truth 360 – sought to avert “mass public panic” stirred by these string of data breach incidents during our Kapihan sa Manila Bay news forum last Wednesday. De Guzman and Samaniego ceremonially launched in our news forum the more user-friendly ScamWatch Pilipinas.com website.

Demonstrating the ScamWatch Pilipinas App, De Guzman explained the public can now easily and directly access it online or by smartphone. By dialing the Hotline 1-3-2-6, the public can immediately report and complain about cyber scams and other digital crimes with just two-buttons click. As an anti-cyber crime advocates group, ScamWatch Pilipinas partnered with the government in the National Cyber Crime Hub Hotline 1-3-2-6.

Acting motu proprio, the National Privacy Commission (NPC) got into action and inquired into PhilHealth data breach incident.

Speaking in our Kapihan sa Manila Bay, NPC Complaints and Investigation Division chief, lawyer Mike Santos cited the NPC is the government mandated and authorized agency to protect and ensure against any illegal data processing by unauthorized persons or entities. Santos told us the NPC got alerted about two separate cyberattacks last Tuesday.

One, was the website of De La Salle University (DLSU) that reported to the NPC the “data security incident” affecting their online student and faculty portals. The other was the data breach notification report submitted to the NPC by the Philippine Statistics Authority (PSA).

Republic Act (RA) 10173 or the Data Privacy Act of 2012, Santos pointed out, requires personal information controllers (PICs) or organizations that process personal data of citizens to submit a data breach notification report, or if they suspect they have been the subject of a data breach attack, within a 72-hour period.

In the latest PSA data breach, Samaniego and Santos confirmed those behind it is a group of “youngsters” who apparently wanted to show off their hacking skills by posting on the surface web, or those visible in popular social media platforms. Nonetheless, Santos declared the full force of the Data Privacy Law will apply against these hackers.

Just a few months ago, Santos recalled the NPC investigated the data breach on the National Identification (ID) issued in Iloilo by the PSA and “dumped” in a social media platform. According to Santos, they have completed and submitted their findings and recommendations to the three-man en banc of the NPC.

Aside from the Data Privacy Act, Santos added, individuals and entities could also be held liable under RA 10175, or the Anti-Cyber Crime Act for such digital data breach. Abiding by due process of law, Santos declined to give further update of this first data breach involving the PSA until all sides are heard.

Santos explained the NPC determines administrative lapses and sanctions and to also recommend criminal proceedings against individuals and entities as well as any government official found liable in the data breach. He noted these laws impose both a jail term of four years minimum and a payment of fine not less than P3 million.

In the case of PhilHealth, Samaniego disclosed a notorious Russian mafia was behind the Medusa ransomware attack. According to him, the cyber security advocates group SOROS monitoring the “dark web” detected this in the wee hours that day. As a member of this group, Samaniego immediately reported the Medusa attack to the Department of Information and Communications Technology (DICT), which in turn alerted the PhilHealth.

Also just a month ago, Samaniego revealed Yakult Philippines and its financial partner similarly reported ransomware attack from local cyber group known as AlphaV in the “dark web.” Samaniego noted these “dark web” criminals demand ransom payment using bitcoins to avoid detection.

Samaniego earlier coined “scam-demic” during our conversations at the Kapihan sa Manila Bay news forum held less than a month ago. He likened it to the COVID-19 pandemic because these scammers can also get our social media contacts victimized. Scammers and identity thieves can access the personal information of our own family members, relatives, friends, classmates, co-workers, and other people.

With this looming “scam-demic,” the NPC cautioned the public not to download, or try to access the links of the purloined hacked digital materials, lest they be charged also with breach of Data Privacy Law. Worse, it could infect their mobile phones, computer system and other digital gadgets with RAT virus, or remote access Trojan as found in the PhilHealth data breach.