A misconfiguration in the systems of the Philippine National Police caused a significant data leak and put its officers at risk.
- The Philippine National Police (PNP) leaked more than 1.6 million files, including passports, national ID photos, marriage and death certificates, and selfies with the IDs of their officers.
- The leak was caused by a misconfiguration of police systems that left its storage publicly accessible to anyone.
- The exposed data is very concerning as it reveals officers' identities. It’s also a gold mine for fraudsters who might exploit victims with various scams.
- Cybernews contacted the PNP, and access to the bucket was secured.
The Cybernews research team discovered that the Philippine National Police (PNP) leaked 1.6 million files containing officers’ sensitive data. The leak, which included photos of passports and national IDs, was due to a basic misconfiguration of their systems. A storage bucket owned by PNP was left without a password, meaning that anyone could’ve accessed it.
This case serves as a stark reminder of how cybersecurity loopholes can jeopardize individuals. Unsecured access to the storage bucket presented a prime opportunity for malicious actors to exploit the leaked documents in various fraudulent schemes.
Cybernews reached out to PNP, and access to sensitive data was secured. However, at the time of writing, we haven’t received a comment on the possible security measures the police department is planning to implement to prevent such incidents in the future.
A treasure trove of personal data
The leaked documents were most likely submitted to the department by former PNP members applying for retirement benefits and state pensions.
The exposed data includes personal documents such as passports and national IDs, marriage and death certificates, and PNP cards of retired members. This could provide malicious actors with a treasure trove of personally identifiable information (PII) such as full names, dates of birth, home addresses, and even the names of spouses.
Among the files, the researchers stumbled upon selfies of applicants holding their IDs. This practice, commonly requested by online services to verify one's identity, adds an additional layer of concern to the situation.
A gold mine for fraudsters
The combination of selfies and IDs provides cybercriminals with an easy opportunity to impersonate victims and offer seemingly legitimate proof of identity.
With access to these images and ID information, malicious actors can exploit victims' identities and engage in fraudulent activities such as applying for loans, credit cards, and other financial services.
As the passports and IDs belong to former employees of the Philippine National Police, coupled with the extensive PII they possess, cybercriminals gain the advantage of appearing credible or having official authority. This puts victims at a heightened risk.
The fact that the data belongs to individuals applying for pensions might also be concerning. Elderly individuals generally have limited familiarity with technology and limited online experience and are particularly vulnerable to phishing attempts.
Their lack of awareness regarding common phishing techniques opens the door for perpetrators to deceive victims into disclosing additional personal information or performing actions that involve sharing financial details or transferring funds.
Staying safe
Access to the bucket was secured, however in order to mitigate any further risk related to the data leak, PNP should take action:
- The PNP is urged to promptly notify the affected individuals about the data leak and provide them with guidance on establishing strong passwords.
- Given the substantial amount of PII that has been exposed, weak passwords can be easily exploited by attackers.
- The PNP should take proactive measures to alert and guide affected officers in recognizing fraudulent emails, websites, and phone calls.
- It’s crucial for the PNP to emphasize the importance of promptly notifying banks in the event of any suspicious activities.
Your email address will not be published. Required fields are markedmarked