Philippines Police Employee Records Leaked Online in a Massive Data Breach
Cybersecurity Researcher Jeremiah Fowler has recently reported to vpnMentor about the existence of a non-password protected database containing over 1.2 million records.
Upon further research, I identified these records to be related to individuals who were employed or applied to work in law enforcement in the Republic of the Philippines, and could be broadly categorized into:
- Documents relating to individuals who either applied for law enforcement roles (“Applicant Records”) or had been employed to work in law enforcement roles (“Employee Records”) in the Republic of the Philippines; and
- Ancillary documents relating to the affairs and administration of law enforcement agencies in the Philippines.
These Applicant Records and Employee Records contained highly sensitive personally identifiable information (PII). I saw scans of official documentation such as passports, birth and marriage certificates, drivers’ licenses, academic transcripts, security clearance documents, and many more.
1. Employee and Applicant Identification Records
The database appeared to contain a selection of records pertaining to the academic and/or personal history of each Applicant or Employee. Samples of records include copies of fingerprint scans, signatures, and required documents from multiple Philippine state agencies including the Philippine National Police, National Bureau of Investigation (NBI), Bureau of Internal Revenue, Special Action Force Operations Management Division, Civil Service Commission, amongst others. The signature on file I can only assume is for verification purposes later if it was ever needed to prove it was their signature.
The database also contained character recommendations, in the form of letters from courts and municipal mayors offices certifying that those individuals applying to work in law enforcement possessed a good moral character and had no prior criminal records. Nearly all countries require some form of background check to work in law enforcement. These documents are what is required in the Philippines. There was also a selection of documents containing Tax Identification Numbers (“TIN”) - a nine-digit number given to individual and corporate taxpayers by the tax authorities in the Philippines for identification and record-keeping purposes.
2. Additional Records
Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential. As an example these would be orders from top leadership of how to enforce what laws and what gets priority or additional training that is needed etc. As an ethical researcher, I cannot further confirm or verify the accuracy or authenticity of these documents contained within this database. As such, I cannot guarantee that the contents of the documents are accurate or reliable. Furthermore, we are cognisant that accessing, downloading, or using these documents without proper authorisation is prohibited and illegal, hence I have not conducted additional verification or due diligence on these documents.
What the database contained
- Total size: 817.54 GB
- Total number of records exposed: 1,279,437
- Employee and Applicant Identification Records: Scanned and photographed images of original documents that included: birth certificates, educational record transcripts, diplomas, tax filing records, passport and police identification cards. Included in the files were combined records certifying that there are no pending cases or criminal history for the officer. These included Republic of the Philippines justice department’s certification, local or regional court records, and the National Bureau of Investigation (NBI) identification and clearance documents.
Any data breach that exposes personal information belonging to police and members of law enforcement or other officials can be dangerous. Individuals whose data is exposed could be potential victims of identity theft, phishing attacks, and a range of other malicious activities. It would be easy for criminals to apply for loans, credit, or other financial crimes using the identity of these individuals and supporting documents. The availability of government records in an unsecured database raises concerns about potential national security issues. The exposed records could also potentially allow criminals to target members of law enforcement for blackmail or other schemes.
As security researchers, our primary objective is to ensure the protection of data and to help secure any exposed data. It is crucial to emphasize that the information in question was readily accessible to individuals with an internet connection. I am confident that my responsible disclosure has served to safeguard the affected individuals, the database, and network systems of the Republic of the Philippines. Furthermore, there existed a potential risk of a cyber-attack or the encryption of the database via ransomware, although I did not observe any such indications during my investigation. My reporting was strictly limited to outlining the actual risks that could have arisen from such a data breach.
As a professional researcher, I adhere to ethical practices and conduct my investigations with utmost integrity. During my assessment, I view only a restricted sample of records to authenticate my findings, without extracting any data. I am fully cognizant of the national security implications of data breaches and aim to protect the personally identifiable information (PII) of law enforcement personnel in the Philippines.
As researchers, we maintain objectivity and do not insinuate any wrongdoing by law enforcement agencies in the Philippines or suggest that any officers were at risk due to the leaked records. I have attempted to initiate dialogue with relevant authorities but have not received an official response, making it challenging to pinpoint any parties potentially responsible for the data breach. I sent over 15 responsible disclosure notices over several weeks to multiple agencies before action was finally taken. The Philippine National Computer Emergency Response Team responded to several of my messages thanking me for reporting and indicated they were trying to identify who was responsible for the data exposure.
Due to the amount of time from when the exposure was discovered, reported, and finally closed it is unclear exactly how long the database was publicly accessible or if anyone else may have accessed it. I can validate that the data was exposed for a minimum of 6 weeks, during which I did my best to have it secured. To fully understand the extent and impact of the breach, a comprehensive forensic audit is necessary.