Incorrectly Configured Servers Lead to Massive Data breach in the Philippines

Supreme Court of the Philippines in PAdre Faura on June 19, 2018. Photo by LeAnne Jazul/Rappler
3 years ago

TurgenSec recently revealed that the Solicitor General’s Office in the Philippines has been responsible for a massive data breach that made available 345,000 sensitive documents to anyone with an internet browser. The documents were concerned with military cases, human trafficking, rape and a whole host of other sensitive issues. Despite being notified about the breach by TurgenSec, the Philippines government has never responded to the notification from the security company.

This kind of troubling apathy is concerning from a government agency, and without the efforts of external entities, the affected citizens would never have known that it occurred.

The Troubling Breach Was Preventable

TurgenSec experts have identified that the data breach was the result of incorrectly configured servers which allowed all of the sensitive documents involved to be set to “public” rather than “private”. This highlights the lack of awareness that even governments can have about the importance of correctly configured networks to maintain security.

“The fix takes literally 20 seconds,” a TurgenSec spokesperson said. They also pointed out that this kind of breach happens because, “really basic steps” are not taken to protect the data in question. This kind of error is not as uncommon as you would think, and even giants like Virgin Media have exposed sensitive documents and information through incorrectly configured servers.

This is Not the First Offense for the Philippines Government

Sadly, like some of the other companies and governments that TurgenSec has exposed in the past, the Philippines government has had data breach issues before. There was another major breach in 2016 when the Philippines Commission on Elections exposed the information of 55 million voters.

People who interface with companies and governments around the world expect that these entities will take the security of their own data seriously. These kinds of data breaches make it quite clear how seldom this is actually the case, with some companies and government offices being consistent offenders.

Without Cybersecurity There is no Trust

Companies and governments have a responsibility to protect the data of those they work with, or those they are involved with for legal reasons. There is no excuse for the type of data breach that the Solicitor General has caused, and even less excuse for their sweep it under the rug attitude. Being unwilling to submit the breach for examination by experts means that they are unwilling to be told the extent of the breach and it also make is clear that they do not value any information about ways to prevent this kind of issue in future.

Companies should take note that without cybersecurity protocols in place, there can be no trust. No one wants to be forced to do business with companies who cannot keep their data even minimally secure. The issue of cybersecurity is getting increasing attention these days, and entities who are unwilling to make an effort to provide it to their customers or the citizens that they profess to be protecting should be prepared to be exposed.

Leave a Reply

Your email address will not be published.