TurgenSec became aware of a publicly accessible data store which belonged to The Solicitor General of the Philippines. The breach appeared to contain over 300,000 files and documents.
TurgenSec emailed The Solicitor General of the Philippines and the Philippines Government on the 1st of March, and the 24th March. These emails went unanswered, the breach was closed by the 28th of April, presumably using information provided by TurgenSec.
This breach was accessed and downloaded by an unknown third party that is not TurgenSec.
The information was left public facing where anyone with a browser and internet connection could access it.
Extent of Breach:
This breach contained hundreds of thousands of files ranging from documents generated in the day to day running of ‘The Solicitor General of the Philippines’, to staff training documents, internal passwords and policies, staffing payment information, information on financial processes, and activities including audits, and several hundred files titled with presumably sensitive keywords such as “Private, Confidential, Witness and Password”.
The nature of these documents is of particular concern as it may have the potential to disrupt/undermine on-going judicial proceedings.
Distribution of document types:
- PDF’s: 93677
- Documents: 64245
- PowerPoints: 683
- Spreadsheets/CSV’s: 36731
- Database Dumps: 567
Distribution of documents containing sensitive keywords:
- Private: 165
- Confidential: 28
- Password: 27
- Witness: 108
- Strategy: 5
Distribution of documents including sensitive topics:
- Drug: 271
- Abuse: 123
- Rape: 774
- Child: 143
- Trafficking: 135
- Execution: 437
- NICA/Intelligence: 10
- Terrorism/Terrorist: 30
- Quarantine: 29
- Covid: 28
- Weapon: 48
- Duterte: 6
- Pangilinan: 63
- Opposition: 753
- Nuke: 1
- Military: 4
This data breach is particularly alarming as it is clear that this data is of governmental sensitivity and could impact on-going prosecutions and national security. An unknown third party has this data and it is likely now in the hands of malicious actors who could do considerable damage with it if mitigation steps are not taken.
We encourage The Solicitor General of the Philippines to submit the breached data to digital forensics specialists to ascertain the extent of this data breach and whether any file’s integrity was compromised. We also encourage them to publicly outline the extent of the information exposed and breached, and what steps are being taken to ensure this cannot happen again.
Finally we request that The Solicitor General of the Philippines informs the ICO if there are UK citizens data contained within this breach and to issue a public disclosure of this, and the full extent of what citizen data was breached, so that the impacted individuals can take the necessary steps to protect themselves.
Archive of statement updates
- 30th April 2021 – V1.0 of Statement Published
Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.
No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database. This data was discovered during R&D for TurgenSec’s DataShadow product.
Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide a broad summary of the document types and documents titles. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.
Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would directly benefit the UK & international community through the global reduction of cyber crime.