President Ferdinand Marcos Jr.’s administration cannot be trusted with Filipinos’ personal information, a data security expert said. And with the recent string of data breaches of private information, this statement only holds more truth.
The Medusa ransomware, handled by a foreign cybercrime organization, hacked the database of state health insurer Philippine Health Insurance Corporation (PhilHealth) on September 23, paralyzing their operations. The National Privacy Commission (NPC) said that a “staggering” 734 gigabytes of sensitive information has been amassed by Medusa (see Sidebar 1).
The hackers asked for USD300,000 in return for PhilHealth’s data folio, but the NPC said that the government will not comply with this demand. This resulted in the publication of contributors’ information on the dark web under Medusa’s website and online platforms like Telegram.
PhilHealth initially belied reports that contributors’ information were accessed by Medusa, saying that only employees’ data were hacked. But under public pressure and an impending investigation from the NPC, their top executives broke down and admitted the truth.
It took nine days before the state insurer finally admitted the leak (see Sidebar 2).
“All these debacle can be attributed to the Marcos administration,” data security expert Maded Batara III of Computer Professionals’ Union (CPU) told Collegian. “The government is a nightmare of privacy rights. It has not shown any strength to pose as cybersecure.”
During the 2024 budget deliberations in Congress, PhilHealth was exposed for not having an anti-virus security software since April this year, citing the expiration of their subscription. Yet the state-run insurer’s top executives amassed a combined salary and benefits that increased threefold up to P72.244 million in 2022, according to the Commission on Audit’s report.
This mess was followed on October 12 when the Philippine Statistics Authority (PSA) reported that their systems and website had been hacked. The Department of Information and Communication Technology (DICT) confirmed this on the same day, attributing the breach to a local hacker. The incident, however, was not a ransom attack, but data stored in PSA’s units are still out there.
A day later, the Department of Science and Technology's systems were also broken into. But for the DICT, this event in the string is just a “small-scale” incident. DICT Undersecretary Jeffrey Dy went as far as to say that the rumors of hacking in the Philippine National Police were just the perpetrators trying to get attention over the event that transpired more than a year ago.
For CPU, this downplaying attitude further highlights the problem with government agencies.
“The DICT has consistently shown us that it cannot be trusted with safeguarding our people’s data—an alarming trend given that they are spearheading the digital transition of government services, which would require the handling of people’s sensitive information,” CPU wrote in an October 4 statement.
Such inactions, then, qualify PhilHealth for violation of the Data Privacy Act of 2012. This makes its executives exposed to criminal liability.
These hacking incidents occurred amid Marcos Jr.’s plan to digitize the government, starting with the controversial programs—SIM Card Registration Act and Philippine Identification System Act.
The SIM Card Registration Act, which started under former President Rodrigo Duterte’s term, has been criticized by CPU and other digital rights groups for its repressive nature, allowing the state to access people’s private information. This puts activists and online whistleblowers in much jeopardy amid intensified state-sponsored crackdowns.
“From a data security standpoint, the SIM Card Registration is worrisome kasi it puts people’s private information in peril,” said Batara. “Seeing how the government handled the PhilHealth leak, it just shows that they cannot be actually trusted with our information.”
The DICT asked for an additional P5.6 billion to their P8.729 billion fund. DICT Undersecretary Hehenderson Asiddao said they plan to use P2 billion of their 2024 allocation to realize Marcos’s e-government plan, which will digitize bureaucratic processes.
But an audit exposé in the Senate revealed that only 25 percent, or P3.5 billion, of their P13.9 billion budget has actually been utilized. The remaining P10 billion is still unobligated to this day.
“Funding is necessary to conduct mass digital education. Money from the national government is needed to have competent staff who handle citizens’ information,” Batara noted. “If it’s not being used, then where is it going?”
And while the post-pandemic time calls for such measure, CPU said that this set of leaders is unfit to implement it.
“The government is more interested in investing technologies for their own personal gains to silence dissent. There has to be some form of justice for people being oppressed by the government's use of technology,” Batara said.
The NPC has already launched the PhilHealthLeak Search Tool, which allows PhilHealth contributors to check whether their personal information was compromised as part of the incident. The information acquired, however, can only be restored but will remain accessible to hackers.
“PhilHealth handles one of the most sensitive information–from credit info to your hospital charts. The fact that the government and PhilHealth were unable to secure these says so much about their ineptitude,” Batara said. “There must be an investigation, and we must hold the government accountable over this, make them pay according to what the law prescribes.” ●
