National Privacy Commission investigates alleged breach of personal data in law enforcement agencies


At a glance

  • The National Privacy Commission (NPC) is investigating an alleged breach of personal data involving Philippine law enforcement agencies, following a VPNMentor article by cybersecurity researcher Jeremiah Fowler.

  • Fowler discovered a non-password-protected database containing over 1.2 million sensitive records linked to individuals employed or applying for law enforcement roles, including scanned official documents and sensitive personal information.

  • Privacy Commissioner John Henry Naga emphasized the importance of safeguarding personal data, reminding organizations of their responsibility to protect the information they collect and stating that the NPC will thoroughly investigate the alleged breach.

  • The NPC is working closely with the PNP, NBI, and other concerned agencies to ensure appropriate actions are taken to prevent similar incidents in the future, stressing the right to privacy as a fundamental human right.


The National Privacy Commission (NPC) is set to meet with representatives from the Philippine National Police (PNP), National Bureau of Investigation (NBI), Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR) today at 1:00 pm to investigate an alleged breach of personal data involving law enforcement agencies. This comes after Jeremiah Fowler, a cybersecurity researcher, posted a story on the website of VPNMentor, a virtual private network (VPN) provider, saying that documents containing sensitive personal information of police officers, prosecutors, and judges were leaked.

The VPNMentor article mentioned that a non-password-protected database containing more than 1.2 million sensitive records linked to individuals employed or applying for law enforcement roles in the Republic of the Philippines had been discovered by cybersecurity researcher Jeremiah Fowler. The exposed information includes scanned official documents such as passports, birth and marriage certificates, drivers' licenses, academic transcripts, security clearance documents, and more.

Fowler categorized the records into two groups: Applicant Records and Employee Records, both containing highly sensitive, personally identifiable information (PII). These records also included documents from various Philippine state agencies, including fingerprint scans, signatures, character recommendations, and tax identification numbers.

In addition to the identification records, the database contained internal law enforcement directives, which may or may not be confidential. Fowler, an ethical researcher, refrained from verifying the accuracy or authenticity of these documents.

The NPC has deemed this issue of utmost importance and is taking immediate action to ensure that those responsible for the alleged breach will be held accountable.

Privacy Commissioner John Henry Naga issued a statement, saying, "As your data privacy authority, the NPC is fully committed to protecting personal information and assures the public that we will not leave a stone unturned in getting to the bottom of this alleged breach."

Commissioner Naga also reminded organizations that process personal data of their responsibility to protect the information they collect. "Do not collect if you can't protect," he added.

In response to the alleged breach, the NPC has called on the PNP to provide additional information and explanation about the incident. "The NPC takes this matter very seriously, and we are working closely with all concerned agencies to investigate this issue thoroughly," said Commissioner Naga. The Commission emphasized the importance of safeguarding personal data and encouraged organizations to implement necessary measures to protect personal information. The NPC also reminded the public that the right to privacy is a fundamental human right that must always be respected. The NPC said the agency would continue working closely with the PNP, NBI, and other concerned agencies to ensure appropriate actions are taken to prevent similar incidents from happening in the future.