CYBER CRIME: 345,000 sensitive legal documents from the PH government have been exposed online

The security firm that discovered the files says the leak could disrupt ongoing judicial proceedings

.

 

For at least two months, some 345,000 sensitive court documents from the Office of the Solicitor General of the Philippines related to ongoing legal cases were made publicly available online and could have been accessed by anyone who knew where to look, according to the UK security company TurgenSec, which identified the data exposure. The firm says that the documents – which contained hundreds of instances of words like “rape,” “execution,” and “trafficking” – had been removed as of April 28, but some are still cached by Google’s search engine and can be found on the open web.

.

.

“It’s not like a traditional data breach that we disclose,” said a spokesperson for TurgenSec. “This one caught our eye because it seems that it might have broader ramifications.”

The spokesperson said they worried that information in the documents could affect ongoing court cases and might be used to identify witnesses or attempt to intimidate victims. The Solicitor General’s office is responsible for representing the government in any litigation that goes before the Philippine Supreme Court or Court of Appeals.

TurgenSec was alerted to the data exposure in February by a third-party whistleblower who downloaded the files and sent them to the security firm for examination. TurgenSec was unable to confirm whether anyone else had accessed or downloaded the data, but the spokesperson noted that it wouldn’t have been difficult for a state actor or open source investigator to do so. As part of a “responsible disclosure” procedure, the company reached out to the Solicitor General’s office twice in an attempt to alert them to the breach but received no response.

It’s not clear why the Philippine Solicitor General’s office and Department of Justice did not respond to TurgenSec, or why the documents were made private only recently. Rest of World reached out to the Philippine Department of Justice, which acknowledged the message but did not comment in time for publication. The website for the Solicitor General’s office was also hacked last December.

TurgenSec, which also runs Breaches.uk, a website that tracks data breaches, said that it chose not to sift through each document, in order to protect the privacy of the individuals named in them. But a keyword search suggests the files contain delicate information that should be kept private. The documents mention the word “rape” 774 times, “trafficking” 135 times, and “execution,” 437 times. Terms like “terrorist” or “terrorism” also appear in numerous instances, along with other words, such as “private,” “confidential,” “password,” “witness,” and “Duterte,” referring to Philippine President Rodrigo Duterte.

According to the TurgenSec spokesperson, the data wound up on the open web because of a misconfigured server, or when an administrator accidentally sets a set of documents to “public” rather than “private.”

“The fix takes literally 20 seconds,” said the TurgenSec spokesperson. “They should just be taking these really basic steps to protect their data.” Misconfigured servers are an extremely common mistake: In 2017, World Wrestling Entertainment made a similar error, exposing data from millions of its fans. Last year, TurgenSec also discovered that Virgin Media accidentally left a database public that linked a number of customers to pornography and other explicit websites.

.

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterEmail this to someonePrint this page