Large-scale data breaches pinned on top officials leading hacked agencies

By Beting Laygo Dolor, Contributing Editor

Pag-IBIG Fund, the Philippine National Police (PNP), the National Bureau of Investigation (NBI), the Bureau of Internal Revenue (BIR), the Philippine Health Insurance Corp (Philhealth), and the Philippine Statistics Authority (PSA) have all been victims of date breaches or cyberattacks in the year just passed.

The PNP and the NBI alone saw the personal data of millions of Filipinos being accessed by the hackers. To-date, no group or person has been charged with violating the Anti-Cybercrime Law. The few who have been charged committed cyberlibel, mostly character assassinations on-line.

Prompting the government to pin the blame for the data leaks on top officials of the hacked government agencies.

The government’s data privacy watchdog, the National Privacy Commission (NPC), is expected to file charges against Philhealth officials after a data leak last October that saw what is said to be the single biggest data breach in the country. About 13 million personal records of Philhealth members have been captured by hackers.

The NPC described the data leak as “staggering.”

The NPC’s complaints and investigation division recommended the filing of charges against Philhealth’s executive committee.

The members of the committee are facing raps for their failure to protect “sensitive personal information” of millions of Philhealth members and employees.

After the breach, it was found that Philhealth officials sought to downplay the breach, claiming only the data of the health insurance company’s employees had been accessed.

An investigation showed that this was not the case and that millions of data had been downloaded by still-unidentified hackers.

The NPC, however, is set to file the charges against the state insurer’s president and CEO, the chief operating officer, the chief information officer, data protection officer, corporate information security department, and the information technology management department for alleged negligence.

The group stands accused of violating Section 20, 21 (a), 22 and 26 of the Data Privacy Act.

Prior to the Philhealth data breach, the nearly 1.2 million pieces of personal information held by the PNP and NBI was considered as one of the largest hacking incidents in the country.

If found guilty, the Philhealth officers face penalties between PHP500,000 and PHP2 million (roughly US$9,000 to US$36,000).

The officials also face the prospect of doing jail time of one to three years.

If this happens, Philhealth will be in even deeper trouble. With so many of its top officers possibly being axed, the health insurer may not be able to operate for an extended period.

Philhealth has been unable to pay private hospitals tens of millions of pesos in arrears despite the promise to settle over an extended period.

Private hospitals and clinics are not amenable and it is said they may refuse to accept patients dependent on Philhealth to pay for their bills.

Assaults on the databanks in the private sector, while rare, are not unheard of. But most IT departments of the top 1,000 corporations, which includes the country’s biggest banks, are well funded and up-to-date.

This is not the case in the public sector.

The Philippine government is said to have one of the weakest cybersecurity in the region.