Did Senator Gordon violate the data privacy law?


This story is about how a victim of cybercrime (Sen Dick Gordon) can end up being liable under the Data Privacy laws of the Philippines. This article is a cautionary tale about what went wrong and how our readers can learn from this.

A bit of background:

On October 19, 2021, Philippine hacktivist group Pinoy Vendetta launched two waves of DDoS (Distributed Denial of Service) attacks against Philippine Senator Richard Gordon's website. This was confirmed in Sen Gordon's page.

From published reports and from inside sources, the first wave used foreign PCs and servers. The attack was blocked by Gordon's team using Geo-blocking. This Geo-blocking means that web requests coming from outside of the Philippines would be dropped. Only Philippine-based web requests would be allowed. Pinoy Vendetta then launched the 2nd wave using Philippine-based sources.

Accounts hardcoded in text

But what Pinoy Vendetta wanted was to deface Sen Gordon's webpage. They used DDoS as a diversionary tactic. They exploited the unpatched web software (Laravel) to obtain files that contained the list of websites, emails, user accounts, and passwords. In layman's terms, these files were like the "keys to the castle." With the keys, the hackers now had access to all parts of it. They were then able to download the files and explore them.

Using an exploit for unpatched system, the hackers explored the server and downloaded files.

The led to the extraction of private data (addresses) of the voter's list found on the Senator's website. The 101K voters' info is now online. Here is a snippet:

Personally identifiable information (PII) was made public by the hackers from Sen. Gordon's server.

I reached out to Senator Gordon's web/system administrator identified in the hack to get their inputs on the story. As of this writing, he has pointed me to the NEW admin. I have not yet been able to contact the new admin.

Bad Practice

"Only the Paranoid survives" was Angel Redoble's (PLDT's First Vice President and Group CISO) immediate response. Security should be front and center of all web-facing projects.

There should have been a VA (vulnerability assessment) at the very least. From what we saw, basic security was an afterthought in the website project. The server was left unpatched. Critical information was hardcoded in text in the webroot. Sen Gordon is a high-profile "target". And, of course, hackers exploited his website. The next part leads us to why Sen Gordon (the victim) is possibly liable to the law.

Data Privacy Law:

"SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. — (a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law."

In short, there is a standard of care for data collectors/processors. There is a saying in Data Privacy practice: "You MUST PROTECT what you COLLECT." Senator Gordon's camp, or more precisely their data privacy officer/web team, should have investigated within the first 24 hours of the incident. From the published reports, this was done. However, they concentrated only on the DDoS attack.

But had they analyzed the weblogs, and they would have concluded that the sensitive files were extracted. It is not clear if they did this step. They may still be unaware of the data loss.

In most cases, they would then have 72 hours to report the breach to National Privacy Commission (NPC). Manila Bulletin checked with NPC, no such notification was made as of this writing.

However, Atty. Francis Euston Acero, Meralco's Deputy Data Privacy Officer, clarified that while there is a data breach, the 72 hours don't apply in this case. Three conditions need to be satisfied:

  1. The exposed data was enough for fraudsters to commit identity theft.
  2. There are reasonable grounds to believe that the data is in the hands of unauthorized persons.
  3. Taken all together, there is a likelihood of a real risk of serious harm to the data subject. (Which must be demonstrable)

But it doesn't mean Sen Gordon's team is off the hook. They still need to conduct a proper internal investigation. They still need to keep the records of the incident, preserve evidence, and contact law enforcement.

MB Security Team

Manila Bulletin's security team did note that the HTML files running in the github.io were using an NGROK.io account. This could be a lead to the true identities of the Pinoy Vendetta group.

Using ngrok.io the hackers posted the link of voter data.

Also, as a best practice for the security community, Manila Bulletin immediately informed NPC and Comelec about the breach. We have also alerted Sen Gordon's camp about the hacker's successful exploits and that they need to change all their system and root passwords to ensure that succeeding attacks would fail. We also delayed publishing this to give Sen Gordon's camp time to change the passwords to their website.

(As Wilson Chua is filing this report, we got information from the camp of Sen. Gordon that they have immediately prepared a report for NPC about this incident. The IT Team is also collecting all evidence of the incident for the NBI anti-cybercrime group. All passwords were also changed by the IT team upon learning of the incident. -- editor)