Emails warning about breach of over 300,000 files and documents unanswered.
A London-based security firm has issued a warning to The Solicitor General of the Philippines and the Philippines Government about a potential breach that appeared to contain over 300,000 files and documents.
According to TurgenSec it sent these emails in March, which went unanswered, and the breach was closed by the 28th of April, presumably using information provided by the company.
This breach was accessed and downloaded by an unknown third party that is not TurgenSec, and was left public facing where anyone with a browser and internet connection could access it.
This breach contained hundreds of thousands of files ranging from documents generated in the day to day running of ‘The Solicitor General of the Philippines’, to staff training documents, internal passwords and policies, staffing payment information, information on financial processes, and activities including audits, and several hundred files titled with presumably sensitive keywords such as “Private, Confidential, Witness and Password”.
The nature of these documents is of particular concern as it may have the potential to disrupt/undermine on-going judicial proceedings.
Distribution of document types:
- PDF’s: 93677
- Documents: 64245
- PowerPoints: 683
- Spreadsheets/CSV’s: 36731
- Database Dumps: 567
- Distribution of documents containing sensitive keywords:
- Private: 165
- Confidential: 28
- Password: 27
- Witness: 108
- Strategy: 5
- Distribution of documents including sensitive topics:
- Drug: 271
- Abuse: 123
- Rape: 774
- Child: 143
- Trafficking: 135
- Execution: 437
- NICA/Intelligence: 10
- Terrorism/Terrorist: 30
- Quarantine: 29
- Covid: 28
- Weapon: 48
- Duterte: 6
- Pangilinan: 63
- Opposition: 753
- Nuke: 1
- Military: 4
This data breach was particularly alarming as it is clear that this data is of governmental sensitivity and could impact on-going prosecutions and national security. An unknown third party has this data, and it is likely now in the hands of malicious actors who could do considerable damage with it if mitigation steps are not taken.
TurgenSec encouraged “the Solicitor General of the Philippines to submit the breached data to digital forensics specialists to ascertain the extent of this data breach and whether any file’s integrity was compromised”.
“We also encourage them to publicly outline the extent of the information exposed and breached, and what steps are being taken to ensure this cannot happen again,” noted TurgenSec. “Finally we request that The Solicitor General of the Philippines informs the ICO if there are UK citizens data contained within this breach and to issue a public disclosure of this, and the full extent of what citizen data was breached, so that the impacted individuals can take the necessary steps to protect themselves”.
No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database and the data was discovered during research and development for TurgenSec’s DataShadow product.