Theft of millions of Filipinos’ personal data eroding public trust


The series of data breaches at government agencies has resulted in the theft of millions of Filipinos’ personal information not only once but twice or even thrice, in gross violation of their right to privacy.

Understandably, the theft is causing Filipinos to lose trust in the offices that keep their personal data even as the “secret” funds of certain agencies have grown tremendously. 

And the stolen personal data are now being put to dangerous use, as in the case of a physician practicing in Metro Manila, who received strange calls in the first week of October from people not on her contact list. 

One caller wanted to know if she was Maria, apparently wanting to get her full name. That caller was immediately followed by another who also wanted to get her name, supposedly to confirm whether a package was really intended for her. 

The doctor prudently rebuffed the inquiries, both made past dinnertime. Even before the hacking of the website of the state-run Philippine Health Insurance Corp. (PhilHealth), it has been her practice not to give her name to callers not on her contact list, to guard against scammers.

The hacking of the PhilHealth website made her anxious because she, like many other doctors, had submitted to the health insurance company sensitive personal information as a provider of medical services. 

According to the Data Privacy Act (Republic Act No. 10173), sensitive personal information includes age, marital status, education, licenses, social security numbers, tax returns and health records.

“I was worried that there would be attempts to access even my social media accounts after they were able to get my cell phone number,” the physician said.

The “weird” calls she received coincided with the uploading of 600 gigabytes of PhilHealth files to the dark web and a Telegram channel on Oct. 5. Criminal groups usually exploit data on the dark web. 

The National Privacy Commission earlier reported the theft and leakage of a “staggering” 730 gigabytes worth of PhilHealth data.

The Department of Information and Communications Technology (DICT) said the Medusa ransomware group uploaded the data over two days after the deadline for the P17-million ransom demand lapsed. 

Payment of the ransom would have been in exchange for the handover of the decryption keys so the data can be accessed again, the deletion and non-publication of the data Medusa had obtained, and the turnover to the DICT of the copy of the data in the group’s possession

PSA, others

PhilHealth is not the only agency victimized. The Philippine Statistics Authority (PSA), custodian of data for the national IDs issued to millions of Filipinos, acknowledged on Oct. 11 that one of its systems had been attacked.

But the PSA said its systems for the national ID project and civil registration had not been compromised. What got hit was its Community-Based Monitoring System, which it uses for targeting families in the planning, budgeting and implementation of the government’s social programs.

The personal information of law enforcers was opened to public exposure. In April, access to a non-password-protected database involving the personal data of police officers, prosecutors and judges was reported. Their names, addresses, contact details and medical records were among the data illegally accessed.

The database had more than 1.2 million records, containing mostly records of employee and application records in the Comprehensive Online Recruitment Encryption System portal operated by the Recruitment and Selection Service of the Philippine National Police (PNP)

The cyberattacks were not limited to government agencies.

The online systems of De La Salle University (DLSU) were attacked on Oct. 9. In a statement issued on Oct. 12, DLSU said that per the initial findings of its own investigation, “on-premise-hosted applications have been affected” but student records and cloud-hosted applications were intact. 

DLSU has tapped a leading global cybersecurity company to investigate what it called a “security incident.” 

‘Big damage’

From January to August, a total of 3,000 cyberattack cases were reported to the DICT—an undercount, it said, because data breach had hit other government agencies, causing “big damage,” but was not reported. 

Certain private entities and individuals may also have decided against reporting any data breach as the damage to their reputation may cause them more harm than the attacks themselves.

Information and Communications Technology Secretary Ivan Uy said the agencies were not reporting the attacks for fear of being summoned to an official inquiry that would uncover their culpable negligence. 

The DICT chief said his department was waiting for some of the agencies to cooperate. He cited the need to check the compromised data and the systems that needed to be shut down to prevent further exposure.

The Department of Science and Technology (DOST) acknowledged on Oct. 12 a recent cyberattack on its OneExpert portal, a registry of Filipino experts. Some 10,000 records of experts were leaked, according to the DICT.

The DOST made the admission only after someone posted on social media on Oct. 8 a hyperlink to data not only from the OneExpert portal but also from the PSA and the PNP Forensics Group.

Identity theft, etc. 

The ransomware attack on PhilHealth’s website and online application on Sept. 22 may have resulted in the theft of the personal data of more than 90% of Filipinos, exposing them to such risks as identity theft, fraud, extortion and blackmail.

PhilHealth has more than 104 million beneficiaries, including members and dependents. 

Among the stolen data are photos, bank cards, transaction receipts of premium payments, the payee’s full name and 12-digit PhilHealth identification number. The compromised data also include birthdays, sex, addresses, ID cards, work-related documents and contracts, said the Privacy Commission, which is investigating the data breach.

The loss of the data came just a few years after PhilHealth was implicated in a “ghost claims” scam that reportedly cost taxpayers billions of pesos.

Not safe

The data breaches indicate one thing: The personal data of Filipinos in government agencies are not safe. They highlight the weakness in the Philippines’ cybersecurity defense that can erode public trust in entrusting personal information to government agencies.

The first massive theft of digital data on Filipinos occurred in 2016 when hackers obtained the personal information of more than 55 million voters, including their names, birthdays, home and e-mail addresses, and parents’ full names.

It is likely that the personal information of the doctor who received calls from strangers or of any other Filipino has been stolen twice—first in 2016 with the theft of data from the Commission on Elections and second in September with the PhilHealth data breach. 

“I will no longer apply for a national ID because I do not trust the government’s data security system,” the doctor said. “The agencies are just reacting to data breaches and are not taking the initiative to strengthen their defenses against hackers.’’ 

For a beneficiary of a government social program on the PSA’s Community-Based Monitoring System, or a police officer who is a registered voter, or  a PhilHealth member, their personal data may have been compromised thrice.

Expired antivirus software 

Sen. Grace Poe said the hackers might have taken advantage of the expiration of PhilHealth’s antivirus software in May. 

“They have not subscribed to antivirus and security software since May. That’s why they were hacked. I don’t think there is an excuse for any government agency to not have security in their databases,” the senator was quoted as saying. 

Unsurprisingly, the cyberattack came shortly after the subscription to the antivirus system had lapsed.  DICT Undersecretary Jeffrey Ian Dy said the Medusa ransomware had infected PhilHealth’s data system since June.

Amid the public uproar, PhilHealth tried to downplay the data breach, saying on Oct. 3 that the ransomware attack had affected only application servers and employees’ workstations, and not the servers containing members’ private information.

The DICT has initially found that the PhilHealth members’ databases were safe and secure, Dy said.  But nothing short of a public congressional hearing aired live will enable Filipinos to know if that claim holds. 

Bigger budget

Fortifying the Philippines’ defense against cyberattacks is in order. The P400-million budget of the DICT’s Cybersecurity Bureau needs upgrading—a situation that three senators recognize.  

Sen. William Gatchalian said the attack on PhilHealth’s data system “highlights the pressing need for the DICT to have access to confidential funds.” Majority Leader Joel Villanueva and Sen. JV Ejercito are pushing for the retention of the DICT’s proposed P300 million in confidential funds for 2024, which the House of Representatives earlier deleted.

In the meantime, Filipinos need to be vigilant in protecting their privacy amid numerous anecdotes of continued attempts at scamming the public.

Isabel, an editor of an educational website, said she received a text message last week that she needed to collect her bingo winnings by pressing a link. She ignored it.

JP, a college student, received a call on Oct. 5 from a male caller he suspected was from India, who wanted to recruit him for an online job. He dropped the call. 

Ton, a swimming instructor, was billed last month P60,000 for a credit card purchase he did not make. Fortunately, his bank granted his request to disallow the transaction.

These unsolicited calls were to have been prevented by the registration of all SIM cards, which required an owner taking a selfie and submitting it, along with a government-issued ID, to the phone service provider. The integrity of the process was shattered after it was disclosed at a Senate public hearing that someone was able to register a SIM card using a smiling monkey’s photo and a fake ID. 

Two-factor authentication

In the wake of the data breaches, the DICT has advised the public to avoid spam texts and phishing and to enable two-factor authentication in their accounts.

It also urged PhilHealth members not to click links supposedly sent by the health insurer through text or email; these links install a backdoor, ransomware or other types of malicious software in one’s computer. 

Civil servants handling Filipinos’ sensitive information should be given tools and training to fend off cyberattacks, and be held accountable for any data heist so they would focus on the enormity of their responsibility to protect data in their care. 

Enforcing penalties prescribed by the Data Privacy Act can help. Those found guilty of unauthorized processing of personal information face imprisonment of one to three years and a fine of P500,000 to P2,000,000. Imprisonment for three to six years and a fine of P500,000 to P4,000,000 await those found to have processed sensitive personal information without authorization or consent of the data subject.

Also increasingly necessary is a formal introduction of a course on cybersecurity for students—how to avoid scams, protect one’s data privacy, safely navigate the digital world, spot misinformation, and related topics. 

(As this report was being processed for posting, the House of Representatives announced that its website had “experienced unauthorized access.” —Ed.)

Leave a Reply

Your email address will not be published.