There's been a data breach in several government agencies over the past few days. While there are no immediate threats to Filipino citizens just yet, cybersecurity experts are sounding the alarm especially since scams remain rampant despite the SIM Registration Act already in full swing.
In late September, a group called Medusa stole the personal information of the beneficiaries of the Philippine Health Insurance Corporation (PhilHealth), holding it for a $300,000 (P17 million) ransom. Some of the data worth 734 GB—which include name, address, birthday, sex, mobile number, and identification number—were reportedly released on the dark web.
To date, PhilHealth has at least 103 million beneficiaries.
PhilHealth assured the public that its primary database is still "intact and not infected" after the cyberattack.
A week afterward, the Philippine Statistics Authority (PSA), the Department of Science and Technology (DOST), and the Philippine National Police Forensic Group fell victim next though there was no demand for ransom.
The PSA said the data breach didn't affect personal information involving the national ID and the civil registry system and was limited to its community-based monitoring system (CBMS).
The CMBS is used by PSA regional offices to submit data from household surveys looking into information like household income and number of family members. It serves as the basis for the government's poverty alleviation programs.
The DOST leak, meanwhile, said it happened on its OneExpert website via a "compromised account." The website contains information about Filipino science and technology experts.
The agency assured the public that though names and emails of experts were leaked, no sensitive personal information has been compromised.
Dominic Ligot, chief executive officer and chief technology officer of social impact technology company CirroLytix, told PhilSTAR L!fe that the PSA, DOST, and PNP cyberattacks appear to be some form of "hacktivism" trying to expose the generally weak state of our government's cybersecurity.
But Ligot, in an earlier LinkedIn blog post on the heels of the incident, also warned against making a "blanket assessment" of all government systems.
"It's crucial to remember that each system has its own security measures, and the vulnerability of one does not necessarily indicate a widespread issue," he said, adding government agencies work tirelessly to protect citizens' data.
Though it's natural for Filipinos to seek answers, Ligot in his blog post said jumping to conclusions and entertaining conspiracy theories may hinder the process of addressing the breach as they may cause unnecessary panic.
In any case, he told L!fe government agencies need to hire cyber experts and invest in anti-malware and threat monitoring.
He also called on institutions to prepare for breaches as if they were like floods or earthquakes via active early reporting, investigations, and management of public perception.
Ligot said that though the leaks don't pose immediate threats to Filipinos, they may be at risk of identity theft.
Since their emails, phone numbers, and passwords are out there, on top of their IDs and photos, hackers may steal their identity and use their names for criminal activities.
They're also at risk of being involved in illicit transactions on e-commerce and online banking platforms.
In light of the PhilHealth cyberattack, Russia-based antivirus provider Kaspersky also noted that stolen data can be used for further financial gain, particularly when they're being put up for sale on the dark web.
Kaspersky noted that the average cost for access to a big company’s systems lies between $2,000 and $4,000 (P113,000 and P227,000), which is "relatively inexpensive compared to the potential damage it could cause targeted businesses."
Its past research showed personal details sell for $10 (P500) each, while selfies with documents fetch for around $40 to $60 (P2,200 to P3,400). Medical records are worth $30 (P1,700) each.
What to do moving forward
Kaspersky is urging Filipinos to do the following in light of the cyberattacks on government agencies:
- Inform the people in your life of what happened so they can avoid possible scams using your identity, and help you report it to authorities.
- Check if your email account has been exposed via https://haveibeenpwned.com or https://monitor.firefox.com/.
- Change the passwords on all your accounts, as well as the security questions and answers and PIN codes attached to your account.
- Secure your computer and other devices with antivirus and anti-malware software.
- Don't respond directly to requests from a company to give them personal data after a data breach.
- Sign up for two-factor authentication wherever it is available.
- Monitor your accounts for signs of any new activity.
Ligot also advised separating one's identities being used for financial transactions as much as possible.
"The irony is since SIM card registration, we were forced to centralize our identities and maintain one number and email for everything. Now we know that is actually riskier," he said.
"The emails and numbers you use for banking should be for banking alone to minimize the risk of compromise if other hacks occur in your other identities."
The public is also advised against downloading or accessing leaked data—even out of curiosity—as they entail potential violations of the Data Privacy Act of 2021.
The law carries a penalty of imprisonment from one to three years and a fine of P500,000 to P2 million for unauthorized access to data.