Philippine government data leaks remain unplugged

Published February 23, 2021, 11:02 AM

by Art Samaniego

After the COMELEAK, it was expected that the Philippine government would at least improve the way it handles the cybersecurity threats, vulnerabilities, and issues the country is facing. Looks like we never learned from past mistakes. The biggest data breach in the history of the country courtesy of the COMELEC was not the first, it was not also the last. Hackers continue their rampage across the Philippine Internet landscape, defacing private, educational, and government websites and breaching databases.

Thousands of personal data from government websites have been leaked to the public, SSL certificates of sensitive government sites expired and never renewed, hundreds of sites were hacked, databases of government agencies were downloaded by hackers, names of police trainees were exposed, and details of uniformed military personnel were shared online. Some of the government websites were left unattended for a very long time that some of these sites are now hosting businesses not related to the Philippine government — imagine, a site hosting a wedding planner’s page.

Just recently, we got a piece of information from a whitehat who regularly checks the PH internet for threats. He showed us a link to a website that claims to have copies of government databases from all over the world. Upon checking we saw nine instances of, and upon further reading the content, we found what looks like databases from three PH government agencies, one containing more than one thousand records, the next one with more than one hundred records, and the last one with two records.

Copies of databases owned by Philippine government agencies were posted online and made publicly available for anyone with an internet connection to see. The site contains what looks like a database dump that has complete names, login names, email addresses, and hashed passwords. A database dump is a file containing a database structure and content that can be used for backup purposes. A hashed password means that it has been transformed into a scrambled representation of the password and would supposedly make it useless to others even if they got hold of the username and the hashed password. There is however a problem with the way a Philippine government agency handles their password security, written at the side of the hash is a plaintext password where the hash came from, making the scrambled password useless as attackers could see the human-readable password in plain text. Another government agency listed on the website has passwords with just four characters, all in lower-case. If an attacker would try to break the password using a brute-force attack, the password would be cracked even before the attacker lifted his finger after clicking the mouse. Another database the site claims to be from the Philippine government agency contains the same hashes in all the entries, this means that although that agency has hundreds of users using different user names and email addresses, all of them use the same password.

With useless security implementation such as this, expect more breaches to happen. White and grey hats have become frustrated with the way government and educational websites and servers are secured that many of them formed groups to secretly secure the sites. Phantom Troupe, GrayHatPhantom, Pinoy LulzSec, and other Pinoy hacking groups were formed to inform website owners of vulnerabilities, secure Philippine sites secretly and even put to shame those who do not put sound security solutions in their websites and servers.

Just recently, I joined a virtual meeting where a DICT lawyer showed participants the Cybersecurity Plan 2022. While the DICT beautifully laid-out the Cybersecurity Plan 2022 and beat the drum of how useful the plan is to “ensure the security of the country’s constantly evolving ICT environment” hackers, bad actors, script kiddies, and anyone who need to hone their skills in attacking websites have used government-owned assets to do hacking exercises and practice their cybersecurity attack skills.

On paper, the country is ready to face the future to answer what cybersecurity challenges have to offer. In reality, it’s just a paper that hackers don’t care about as they continue to attack and breach the weak security of the government’s IT systems. Government officials who are saying that the country is now ready to face cybersecurity challenges need to check what’s happening on the ground.

And think about this… National ID System.