Millions of personal data compromised in the first half of 2019: Top level government agency hacked

Published August 24, 2019, 12:00 AM

by manilabulletin_admin

Data breaches in the Philippines show no sign of slowing down. In the second half of the year, cybersecurity enthusiasts from government and private sectors are sharing data and ideas to lessen the impact of these breaches.

(REUTERS / Kacper Pempel / Files / MANILA BULLETIN)
(REUTERS / Kacper Pempel / Files / MANILA BULLETIN)

In the first half of 2019, millions of personal data were exposed and exfiltrated and hundreds of websites from the Philippines were defaced. Millions more could have been breached if white hat hackers did not help secure .ph and servers.

However, there were also misreported incidents like calling the Department of Foreign Affairs (DFA) passport data problem a hacking incident when in fact, it’s an IT project mismanagement. The Cebu Pacific incident was downplayed where hackers downloaded more than 40GB of data. Imagine this, a text file, on average, could reach up to 677,963 pages per gigabyte. The AFP also tried to downplay the hack that happened in their old servers.

Here are some of the high profile data leaks and breaches of the first half of 2019

In January of this year the marketing server of Cebuana Lhuiller, a Philippine-based pawnshop and remittance center was breached and more than 900,000 clients were affected.

Before the end of January, Globe’s 8,851 customers were affected by an information leak when their details were sent to the wrong recipients. Globe however said that this is not a breach as this was clearly a human error from their end.

In 2018, the National Privacy Commission ordered Jollibee to stop its delivery service due to possible data leakage, until now, the service is still down. Early this year, the JFC Credit Cooperative was breached with more than 7,000 records of employees that include scanned company and government IDs.

Early this year, the Armed Forces of the Philippines suffered major blows from hackers. The database of the Philippine Army’s recruitment site “Join the Army” was breached with more than 50,000 applicant details. The database of the Armed Forces of the Philippines was also leaked showing more than 20,000 details of AFP personnel. The Armed Forces and Police Savings & Loans Association or AFSLAI was also breached, hackers got the scanned copies of identification cards of account holders.

Many government websites were defaced in the first half of 2019. Tech4Ed a project of the Department of Science and Technology-ICT office that aims to harness technology to enable, empower and transform the society was breached April of this year. The hacker claimed that more than four million lines of data were downloaded. Data that include name, birthday, address, civil status, gender, educational attainment, skills, achievements and other minor details were downloaded from the Tech4Ed servers – these information could be used to steal the identity of the owners.

On March 16 the Unified Student Financial Assistance System for Tertiary Education or UniFAST was hacked. The server holding the data of 1,130,899 applicants that include a student identification number, full name, birth date, father’s and mother’s names, and address was accessed by unknown intruders and data was downloaded.

The most dangerous day for companies that are connected to the Internet is April 1, this is the day where an international hacking event dubbed as April Lulz Day is celebrated by black hat hackers all over the world. Locally, Pinoy LulzSec was the most active with members regularly updating the group’s exploits via social media during the event. Members of Pinoy LulzSec who contacted the Manila Bulletin said that more than ten thousand Facebook accounts were compromised and thousands of accounts from universities including UP-Diliman, PUP in Taguig and TUP were also exposed and uploaded in Pastebin, a site where users can upload and share text files.

In June of this year a group of hackers from Bangladesh known as ErrOr Squad attacked and defaced hundred of PH government websites. It is not known what other information the hackers downloaded from the servers under Government Web Hosting Services (GWHS).

There’s a silver lining though, from all these security breaches and malicious attacks as the government, ethical hackers and other cybersecurity enthusiasts decided to do something to mitigate the attacks.

AJ Dumanhug from Secuna, a Philippine-based cybersecurity company helped secure about five million user accounts of overseas Filipinos and their dependents. He also informed the Department of Transportation and Department of Foreign Affairs that their sensitive files could be accessed online.

Milo Pacamara of CSP-CERT helped companies secure their servers and protect their sensitive information. His group also helps individuals who have cybersecurity problems. He constantly checks apps and websites for malicious contents and he is 100% successful in solving security problems and issues that he found.

KangKong a member of Pinoy LulzSec religiously reports vulnerable government sites, but unknown to many, he also secures government sites with sensitive data without informing the owner of the servers. There has been an ongoing debate in the industry with this kind of practice, but KangKong said if he won’t secure these sites, foreign hackers could get sensitive government information.

Kalasag CERT, one of the few accreditd CERTs in the country is also doing its part in securing the Ph Internet. The group reports to National Privacy Commission anything that they stumble upon the web that could endanger the privacy and security of PH Internet users.

When the eFOI inadvertently exposed data of users asking for information, MB TechNews columnist Wilson Chua immediately coordinated with the agency informing them that his personal information was exposed. When we checked, we saw the flaw in the system, Mr. Chua informed the eFOI office about it and the issue was immediately corrected. Although Mr. Chua’s info was wrongly used, he cooperated with the eFOI office to resolve the problem. The case filed by Mr. Chua is now in its last stage of mediation.

Former DICT Asst. Secretary and Executive Director of the country’s Cybercrime Investigation and Coordination Center Allan Cabanlong was also instrumental in securing many government sites. White hat hackers go directly to him to report about the vulnerabilities in government servers. Information received by Mr. Cabanlong were immediately processed and promptly acted upon.

As we enter into the second half of the year, hackers already released their opening salvo by defacing what seems to look like an ordinary website. Examining the source code of the defaced site however would show you a much complicated hacking that took place. The hacker dropped hints that they have breached a top level government website, a hidden link when followed would show a photo of a sensitive data from the agency . If hackers could access this top government agency, I wonder what would happen to the proposed Philippine ID system that would put all our information in one supposedly secure system.

MB TechNews columnist Wilson Chua in a phone interview said that these breaches and defacements would continue as hackers have upgraded their methods and techniques. “We need to work together – government and private sectors – to mitigate these breaches”.

Pacamara agreed. “The skills of hackers have leveled up, law enforcers and cybersecurity professionals also need to upgrade and share knowledge to prevent security breaches.


Manila Bulletin TechNews will have have a forum on Cybersecurity this week. We will be inviting the National Security Council, the Armed Forces of the Philippines Cyber Group, the Philippine National Police Anti-Cybercrime Group and the National Privacy Commission. We will talk about the updates on the PH cybersecurity landscape. A demo will also be conducted to show how improper use of password could lead to a security breach.