An enormous file containing over 1.2 million records from the Philippine Police Employee database has been exposed to the public for at least six weeks before it was detected and remedied, according to vpnMentor.
The file, which is non-password protected and has a size of 817.54GB, contained approximately 1,279,437 records with personal and academic data of candidates and employees.
The database held fingerprint scans, signatures, and necessary documents from numerous Philippine state agencies, including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Civil Service Commission, amongst others. It also contained letters of character recommendation from courts and municipal mayors’ offices, Tax Identification Numbers (TIN), birth certificates, educational record transcripts, diplomas, tax filing records, passports, police identification cards, and other identification documents.
“Any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous. Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities,” the report said.
“It would be easy for criminals to apply for loans, credit, or other financial crimes using the identity of these individuals and supporting documents. The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes,” it added.
The Department of Information and Communications Technology (DICT), through the Philippine National Computer Emergency Response Team (NCERT), is currently investigating the breach.
According to the DICT, NCERT started its investigation last February 22, 2023, after receiving links to an Azure blob storage containing sample photos of IDs, including PNP and National Bureau of Investigation (NBI) clearances, from vpnMentor cybersecurity researcher Jeremiah Fowler. The incident was reported to both the PNP and the NBI between March 3 to 23, 2023.
For its part, the DICT recognizes the severity of the incident. The agency has also called on all government agencies to improve their cybersecurity measures and seek assistance to help secure their cyber assets.
