GSIS Cybersecurity Incident: Unauthorized Access to System and Subdomain Website Defacement  

On September 12, 2024, the Government Service Insurance System (GSIS), a state-run social insurance institution for government employees, suffered a cybersecurity incident involving unauthorized access to its system and the defacement of a subdomain of their website. The attack was carried out by a local hacktivist and greyhat hacker group known as DeathNote Hackers, the same group responsible for the Metro Pacific Tollways Corporation (MPTC) data breach incident on September 7, 2024.  

In a Facebook post, the group claimed responsibility for the attack, stating that they had gained access to the GSIS system prior to the MPTC incident. Using an administrator-level account, the group was able to access and modify applications, as well as edit system modules, all while remaining undetected from the GSIS IT team. PSA notes that  

“We’ve been inside your system since last week, even before the metro tollways breach. We’ve been tweaking your apps and making quite a bit of noise all while using an administrator account. Not a single person in your IT department noticed an ‘administrator’ simultaneously editing modules and apps? that should’ve raised immediate red flags.” 

DeathNote Hackers

DeathNote Hackers highlighted the potential consequences, had they chosen not to disclose the incident and instead operated with malicious intent. They also outlined the major implications that could have arisen if had they been associated with more malicious foreign threat actors or illegal Philippine Offshore Gaming Operators (POGO) entities targeting financial institutions.  

“Imagine if we hadn’t disclosed this and were operating from the black side of the ‘hat.’ What kind of chaos, damage, and public outrage would you be facing? And what if we were chinese or part of POGO targeting financial agencies specifically to exploit and harm Filipinos? What do you think could have happened? We shouldn’t be asking you this; you should have known from the start. Or were we wrong?” 

DeathNote Hackers

GSIS Investigating the Incident 

Following the incident, GSIS released a statement confirming the breach. The government agency noted that they received a notification from their security partner at 5:20pm on September 12, 2024, about a compromised administrator account on one of their computers. The compromised computer was immediately taken offline, with GSIS currently investigating the issue while ensuring compliance with the Data Privacy Act.  

“We assure our employees, members and pensioners that the protection of their information is of utmost priority. GSIS is implementing needed measures to protect our systems and information.” 

GSIS Statement