HACKED, TOO The Department of Science and Technology was also among the government agencies hacked. 鈥擯HOTO FROM DOST.GOV.PH
The Department of Science and Technology (DOST) confirmed on Friday that it was among the three government agencies that suffered cybersecurity breaches in August.
The three breaches preceded the Sept. 22 ransomware attack on state-owned Philippine Health Insurance Corp. (PhilHealth), which leaked 734 gigabytes of its members鈥 personal data, according to the National Privacy Commission.
The PhilHealth breach is believed to be the largest leakage of private data in government care since the Commission on Elections鈥 鈥淐omeleak鈥 incident in 2016.
In DOST鈥檚 case, the leakage involved the email addresses of about 1,000 experts and clients who were registered in the agency鈥檚 OneExpert portal, which was meant to help the public connect with experts in given fields.
Rowen Gelonga, DOST Region 6 director, said they first learned of the leak on Aug. 31 when the Philippine National Computer Emergency Response Team informed them that an administrator account was compromised and was used to access the OneExpert site.
Cloud dump of data
But while DOST was fixing other vulnerabilities, an anonymous user posted in social media on Oct. 8 a hyperlink to a cloud dump of data from the OneExpert portal, Philippine Statistics Authority (PSA) and Forensics Group of the Philippine National Police (PNP-FG).
All three agencies subsequently tried to downplay the leakages by saying that the breaches were 鈥渓imited鈥 and no 鈥渟ensitive鈥 personal data were compromised.
鈥淏ased on the investigation, the links posted by the bad actors lead to limited data taken,鈥 said National Statistician Claire Dennis Mapa, who concurrently heads the PSA.
Unlike the PhilHealth attack, however, no 鈥渂ad actor鈥 made any demand for ransom before the data dump was made, leaving the possibility that they were 鈥渨hite-hat penetration tests鈥 meant to reveal cybersecurity weaknesses.
搁贰础顿:听Leaked Philhealth data 鈥榮taggering,鈥 says NPC
According to Gelonga, 鈥測ou don鈥檛 have to undermine (or resort) to illegal means to get the names of the experts because the portal has a mechanism for contacting the expert directly.鈥
Still, he said they regret that the leak even happened at all and that the DOST was already beefing up their security measures.
鈥楢n area of concern鈥
鈥淲e admit that this is an area of concern,鈥 he said. 鈥淥ur system was developed way back in 2016 and we are now overhauling the system.鈥
The PNP-FG also claimed that no 鈥渟ensitive鈥 data were compromised.
In a press briefing in Camp Crame on Friday, Police Maj. Michael Ignacio, information technology officer of PNP-FG, said the uploaded data contained a ZIP file containing eight files, with filenames indicating they were possibly databases containing DNA information from suspects and victims of police operations.
But this was not the first time that data handled by the PNP were compromised.
In April, cybersecurity researcher Jeremiah Fowler reported the existence of a nonpassword protected database with over 1.2 million records, containing mostly records of employee and application records in the Comprehensive Online Recruitment Encryption System portal operated by the PNP Recruitment and Selection Service. INQ