An unprotected database containing over 1.2 million records were allegedly leaked as reported by Jeremiah Fowler, a Cybersecurity Researcher from vpnMentor. In the report last Tuesday, April 18, 2023, he said that the database contained sensitive information such as scans of passports, birth and marriage certificates, drivers’ licenses, Taxpayer Identification Number (TIN), security clearance etc. based on the limited samples of records he viewed. The documents, Employee and Applicant Identification Records, were related to law enforcement roles.
Yesterday, April 19, 2023, PBGen. Sidney Hernia, the director of PNP's Anti-Cyber Crime Group stated the following: "We cannot categorically say at this time that there was a leaked applicants data,” "We are still conducting vulnerability assessment and penetration testing. We also requested complete access logs from PRSS (PNP Recruitment and Selection Service) to evaluate those logs."
And today, April 20, 2023, the National Privacy Commission (NPC) called a meeting on the reported law enforcement personnel data breach.
If the investigation proves that there were no data breaches, that's good. But if there were, then the PNP's Anti-Cyber Crime Group or Philippine National Computer Emergency Emergency Response Team (CERT-PH), whoever is tasked to look into this should take the following steps:
Do not perform Vulnerability Assessment and Penetration Testing (VAPT) while a data breach investigation is ongoing. This may interfere with the investigation process, as the testing could potentially destroy or alter evidence related to the breach. In addition, the resources should be focused on containing the breach, investigating the incident and implementing corrective actions.
Activate the Information Leakage incident response playbook (ideally there should be one). If none, the incident response team should obtain as much information as possible from the person who reported the breach i.e. Jeremiah Fowler including how the breach was discovered and other data that was potentially compromised (if not yet included in the report).
Determine the scope i.e. the extent of the breach and involve the appropriate parties such as representatives from affected government agencies, regulators and third-party service providers especially that the researcher shared that the data was found in an exposed cloud storage repository.
Containment (stop the bleeding) and Eradication.
If the database is managed by the government agencies or its third-parties, add password protection on the affected cloud storage repository. Revoke the access permissions or disable the affected account related to the affected cloud storage repository to isolate and prevent further unauthorized access. That is why it is key to identify who owns or manages that compromised database.
It gets tricky if the database is not within the government agencies’ control. Potentially the incident response team needs to ask the owner to remove the disclosed data if data has been sent to a public server. And if it’s not possible to remove the disclosed data, the incident response team needs to provide a complete analysis to the public relations team and the management. The best that they could do is to monitor leaked documents spread on social media and websites.
Recovery. Restore the compromised system to normal operations. Simply go back to Business As Usual (BAU).
Post-Incident Activity. Discuss the incident’s details in order to come up with lessons learned to avoid future incidents. With a very large scale compromise, the whole cybersecurity program of the government agencies need to be reassessed in order to adjust the plans and implement appropriate defenses. I’ll share recommended actions on my next blog.
The risks imposed by this potential incident are grave. This involves not only identity theft for the affected individuals but also their safety, especially since they are law enforcers of the country. Therefore, this matter shouldn’t be taken lightly. In addition, as the Philippines embarks on its digitalization initiatives including National ID, SIM registration, etc., it should ensure the safety and privacy of its citizens' data. This is done making Cybersecurity a priority and an essential component of digitalization, not an afterthought.
Comments