MANILA, Philippines — Wala umanong naganap na hacking sa data breach na kinasasangkutan ng may 1.2 milyong rekord ng mga law enforcement agencies.
Ito ang lumitaw sa isinagawang imbestigasyon ng Department of Communications and Information Technology (DICT) sa naturang isyu.
“It was not a hack. It was a data leak,” pahayag pa ni DICT Secretary Ivan Uy sa isang panayam. “A cybersecurity researcher happened to find a site where there was no security. It was just open to the public.”
Base sa imbestigasyon ng DICT, ang data leak ay nagmula mismo sa online recruitment portal ng Philippine National Police (PNP).
“It’s an employment portal or recruitment portal. The uploaded documents were the ones that were exposed,” ani Uy.
“So, there was no hacking. It was an unsecured site that was just open and anybody could see it,” dagdag pa niya.
Matatandaang iniulat ng Cybersecurity firm na VPNMentor noong nakaraang linggo ang umano’y “massive data breach” sa mga empleyado at citizen records mula sa PNP, National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR) at Civil Service Commission (CSC).
Anang kumpanya, ang naturang nakumpromisong database ay naglalaman ng highly sensitive personal information gaya ng mga pasaporte, birth at marriage certificates, drivers’ licenses, academic transcripts at security clearance documents.
Nilinaw naman ni Uy na ang data leak ay hindi naganap sa ibang ahensiya kundi sa PNP lamang.
“PNP lang po. Applicants na maging police,” aniya pa.
Dagdag pa ni Uy, ang site ay hindi pa professionally developed at ang proyekto ay isang “mom-and-pop operation”.
“Because it is a government agency, they just adopted and used it without even consulting the DICT on what are the best practices and international standards in terms of cybersecurity and data protection,” aniya pa.
Ang naturang site ay isinara naman na aniya.
Nabatid na nagkasa na rin ang National Privacy Commission ng imbestigasyon upang matukoy kung may protocols, batas o panuntunan na nalabag.
Matatandaang si Cybersecurity researcher Jeremiah Fowler ang nakatuklas ng existence ng isang non-password protected database sa pamamagitan ng IOT search engine.
Aniya, ang database ay “publicly accessible” sa sinumang may access sa internet.