Rising Cases of Data Breaches in the Country, Implications and Concerns
April 12, 2024
In recent months, the Philippines has seen a rise in cybersecurity-related incidents, targeting several government agencies and organizations, resulting in large-scale data leaks and exposition of computer and network vulnerabilities. With those attacks, proponents are now urging the strengthening of the cybersecurity posture of the Philippines.
The Department of Information and Communications Technology (DICT) previously noted that cyberattacks were expected to increase this year, with threat actors taking advantage of the rapid digitalization and expanding digital economy of the country:
“We expect more of that [cyberattacks] to happen. The cyber landscape is growing and as it grows, then the economic potential of that sector is also increasing. If there is more economic activity there, there is more that cybercriminals can [take advantage of],”
Ivan John E. Uy, DICT Secretary
In a recently released report, the PNP Anti-Cybercrime Group (ACG) recorded a total of 4,469 cybercrimes in the first quarter of 2024, a 21.84 percent increase compared to 3,668 cases in the same period last year. The top three cybercrimes of the first quarter of 2024 are as follows:
- Online Selling Scams (990 cases)
- Investment Scams (319 cases)
- Debit and Credit Card Scams (309 cases)
In its Data Breach Statistics report for the 4th Quarter of 2023, SurfShark, a cybersecurity company, ranked the Philippines 26th out of 250 countries as having the largest number of breached accounts (139,886). The number represents a 134.1 percent increase from the recorded total in the third quarter of 2023 at 59,744 cases. Among the countries in East and Southeast Asia, the Philippines is placed in 5th place.
Notable Data Breaches in The Philippines
ComeLeak (2016)
On March 27 and 28, 2016, hackers belonging to Anonymous Philippines and Pinoy LulzSec allegedly accessed and leaked the COMELEC database containing the data of 70 million registered voters. This cybersecurity incident was dubbed the “Comeleak” and was regarded as the largest leak of personal information in Philippine history.
PNP, NBI, BIR, SAF Data Breach (2023)
In April 2023, Cybersecurity company VPNMentor reported an alleged data breach of databases belonging to various law enforcement agencies, exposing over 1 million records containing personal and sensitive information. Affected agencies include the Philippine National Police (PNP), the National Bureau of Investigation (NBI), the Bureau of Internal Revenue (BIR), and the Special Action Force (SAF).
PhilHealth Medusa Ransomware Incident (2023)
On September 22, 2023, the Philippine Health Insurance Corporation (PhilHealth) was hit by a Medusa Ransomware, with threat actors demanding USD 300,000 or PHP 17 million in ransom. Among the exposed confidential information include names, addresses, birthdays, mobile numbers, PhilHealth Identification Numbers, of paying members, as well as member contribution payment receipts.
April Lulz Day (2024)
On April 1, 2024, several Philippine Government websites were targeted by a series of cyberattacks by various Filipino hacking groups as part of April Lulz Day, a supposed annual hacking event celebrated by LulzSec affiliates and local and international hackers.
DOST Data Breach (2024)
On April 2, 2024, The Department of Science and Technology (DOST) was involved in a cybersecurity incident wherein some of the department’s websites were defaced and data amounting to 2TB was leaked. The leaked data comprised of schematics designs, backups, resumes of DOST applicants, and personal information of 297 DOST employees.
Implications of Data Breaches:
With the amount of information and data stored online by organizations, a data breach can result in threat actors gaining access to sensitive information such as names, addresses, credit cards, and bank account details, which are then used to commit various forms of malicious and fraudulent activities. Data exposed in data breaches are often sold on the dark web, acting as a marketplace to buy and sell stolen information.
PSA emphasizes the dangers of data breaches, as threat actors who have access to your information can use this as leverage to sound more convincing in their “phishing” attempts. For example, threat actors trying to phish for credentials would often dictate your details such as your name, address, or credit card numbers to convince you to provide more sensitive information such as OTPs or your passwords.
Phishing attempts through SMS, emails, or calls often have the following characteristics:
- Threat actors will impersonate your bank or other trusted organizations
- Threat actors will claim that they’ve noticed “suspicious” login attempts on one of your online accounts and ask you to “confirm” your log in details,
- Threat actors will ask to “verify” your personal or financial details like your credit card number, or your account will be closed or terminated.
- After confirming your details, threat actors will often ask for your OTP or CVC number claiming to need it to “fix” things on their end.
At the individual or employee level, PSA suggests considering the following recommendations to minimize your exposure to potential bank or other online-related financial cyber scams:
- Understand how potentially serious it is to have your phone stolen or hacked if you use it to access financial accounts. Make sure you can remotely delete your phone or at least reset your financial account passwords if your phone is stolen.
- Make purchases online from reputable sellers and secure your payment methods. Some online scam incidents involve customers being overcharged through multiple payment methods.
- Monitor your bank accounts for any unauthorized transactions.
- Don’t click on any links allegedly from your bank. Instead, go directly to your bank’s website through a search engine or through the bank’s app. Make sure to click the legitimate and official website since in some instances, victims also fall for phishing links and fake sites that were designed to look like the bank’s official website.
- If receiving a call from your bank regarding an allegedly compromised account, consider hanging up and calling the bank directly to verify that it is a legitimate security alert.
- Never share your one-time pin with anyone. Your bank won’t ask for your one-time PIN.
- For those using online banking apps, please make sure that you have downloaded your application from a legitimate app store.
- Use a well-respected password manager to store strong and unique passwords. Good password managers make it easy to create and store unique passwords in a secure fashion.
- If you start receiving One Time Pin SMS messages from your bank that you did not request, contact your bank and notify them your account may have been compromised.
- Social media pages like Facebook offer verified badges to indicate legitimacy. Make sure to check for such badges before conducting any business or transaction, especially from well-known companies. Alternatively, don’t use Facebook to make purchases.
- Be aware of fake websites that may appear real. These often use the same logo, colors, and layout to appear genuine. Oftentimes, these websites have spelling mistakes as well as an unusual URL.