Cybersecurity firm reports leak of ‘sensitive’ PNP, NBI other government agencies’ documents in breach


A cybersecurity firm has reported that more than a million highly sensitive documents from government agencies, including the National Bureau of Investigation (NBI), have been illegally exposed in a massive hacking that hit the Philippine National Police (PNP).

The company vpnMentor said the data breach carried out at an undisclosed date affected more than 1.2 million records from different government agencies, mostly by police applicants and those who are already members of the PNP.

Aside from records or clearances from the NBI, among those that were exposed are records from the PNP, Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission and other offices and agencies.

The hacking, which affected 817.54 gigabytes of records, was disclosed by vpnMentor cybersecurity researcher Jeremiah Fowler as reported by his company.

The firm said the “misconfigured” and “non-password” protected database exposed “police applicants and employees’ identification records such as passports, birth and marriage certificates, drivers’ licenses, security clearance documents, and much more.”

The PNP is yet to respond on the report.

“Upon further research, I identified these records to be related to individuals who were employed or applied to work in law enforcement in the Republic of the Philippines,” Fowler said in his report.

He categorized the records relating to “individuals who either applied for law enforcement roles (“Applicant Records”) or had been employed to work in law enforcement roles (“Employee Records”)…and Ancillary documents relating to the affairs and administration of law enforcement agencies in the Philippines.”

“These Applicant Records and Employee Records contained highly sensitive personally identifiable information (PII). I saw scans of official documentation, such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more,” Fowler said.

The researcher said that the database on the employee and applicant identification records “contain a selection of records pertaining to the academic and/or personal history of each applicant or employee.”

“Samples of records include copies of fingerprint scans, signatures, and required documents from multiple Philippine state agencies, including the Philippine National Police, National Bureau of Investigation (NBI), Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission, amongst others,” he said.

“The signature on file I can only assume is for verification purposes later if it was ever needed to prove it was their signature,” he added.

Fowler added that the database also contained “character recommendations, in the form of letters from courts and municipal mayors offices certifying that those individuals applying to work in law enforcement possessed a good moral character and had no prior criminal records.”

“Nearly all countries require some form of background check to work in law enforcement. These documents are…required [for submission] in the Philippines. There was also a selection of documents containing Tax Identification Numbers (“TIN”) – a nine-digit number given to individual and corporate taxpayers by the tax authorities in the Philippines for identification and record-keeping purposes,” he said.

Aside from primary records of applicants and employees, Fowler said, the database also contained documents “relating to internal directives addressing law enforcement officers, who may or may not be confidential.”

“As an example these would be orders from top leadership of how to enforce what laws and what gets priority or additional training that is needed etc.” he said.

Fowler said that as an “ethical researcher,” he could not further confirm or verify the accuracy or authenticity of the documents contained in the database.

“As such, I cannot guarantee that the contents of the documents are accurate or reliable. Furthermore, we are cognizant that accessing, downloading, or using these documents without proper authorization is prohibited and illegal, hence I have not conducted additional verification or due diligence on these documents,” he said.

Image credits: CNN PHL