PNP asks for more time to validate alleged data breach — NPC

The Philippine National Police (PNP) has requested for more time to validate if its database was compromised, the National Privacy Commission (NPC) said Thursday.

In a statement, Privacy Commissioner John Henry Naga said the NPC gathered concerned government agencies, namely the PNP, National Bureau of Investigation (NBI), Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR) to address the alleged leak of personal data involving law enforcement agencies.

“According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC, and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public,” Naga said.

“However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlight in the report alleging the data leak,” he said.

According to a report from Jeremiah Fowler of vpnmentor.com, a supposed leak from the PNP database comprised details of 1.2 million records of employees and applicants.

Leaked data include documents of academic and personal history such as birth certificates, educational record transcripts, diplomas, tax filing records, passports and police identification cards.

Copies of fingerprint scans, signatures, and required documents were also found.

“To further investigate this matter, we issued an order to conduct an onsite investigation on the concerned data processing system of PNP on 24 April 2023 headed by the Complaints and Investigation Division of this Commission,” Naga said.

The Privacy chief said the NPC also ordered Fowler, the cybersecurity researcher who published the article alleging the data breach, to appear before this agency on April 21 to aid in its investigation.

“The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks and that we should remain in constant vigilance in protecting personal data,” Naga said.

“I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities,” he said.

The NPC called on the concerned government agencies to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement as its investigation is underway.—AOL, GMA Integrated News