Did Senator Gordon Violate Data Privacy Law?

This story is about how a victim of a cybercrime (Sen Dick Gordon) can end up being liable under Data Privacy laws of the Philippines. This is a cautionary tale about what went wrong and how our readers can learn from this.

A bit of a background:

On or around October 19, 2021 Philippine hacktivist group Pinoy Vendetta launched two waves of DDoS (Distributed Denial of Service) attacks against Philippine Senator Richard Gordon’s website. This was confirmed in Sen Gordon’s page here.

From published reports and from inside sources, the first wave used foreign PCs and servers. This was promptly blocked by Gordon’s team using Geo-blocking. This Geo-blocking means that web requests coming from outside of the Philippines would be dropped. Only Philippine based web requests would be allowed. Pinoy Vendetta then launched a 2nd wave using Philippine based sources.

Accounts hardcoded in text

But what Pinoy Vendetta really wanted was to deface Sen Gordon’s webpage. They used the DDoS as a diversionary tactic. They exploited the unpatched web software (Laravel) to obtain files that contained the list of websites, emails, user accounts and passwords. In layman’s term, these files were like the “keys to the castle”.

With the keys, the hackers now had access to all parts of it. They were then able to download the files and explore it.

The led to the extraction of private data (addresses) of the voter’s list found in the Senator’s website. The 101K voters info is now online. Here is a snippet:

I reached out to Sen Gordon’s web/system administrator identified in the hack to get their inputs on the story. As of this writing, he has pointed me to the NEW admin. I have not yet been able to contact the new admin.

Bad Practice

“Only the Paranoid survives” was Angel Redoble’s , (PLDT’s First Vice President and Group CISO) immediate response. Security should be front and center of all web facing projects.

There should have been a VA (vulnerability assessment) at the very least. From what we saw, basic security was an afterthought in website project. The server was left unpatched. Critical information was hard coded in text in the web root. Sen Gordon is a high profile “target”. And of course, hackers exploited his website. The next part leads us to why Sen Gordon (the victim) is possibly liable to the law.

Data Privacy Law:

“SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. — (a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.”

In short, there is a standard of care for data collectors/processors. There is a saying in Data Privacy practice: “You MUST PROTECT what you COLLECT”. Senator Gordon’s camp or more precisely their data privacy officer/web team should have conducted an investigation within the first 24 hours of the incident. From the published reports, this was done. However, they concentrated only on the DDoS attack.

But had they analyzed the weblogs, they would have concluded that the sensitive files were extracted. It is not clear if they did this step. They may still be unaware of the data loss.

In most cases, they would then have 72 hours to report the breach to National Privacy Commission (NPC). Manila Bulletin checked with NPC, no such notification was made as of this writing.

However, Atty Francisco Euston Acero, Meralco’s Deputy Data Privacy Officer clarified that while there is a data breach, the 72 hours doesn’t apply in this case. There are three conditions that need to be satisfied:

1. The exposed data was enough for fraudsters to commit an identity theft.
2. There is reasonable grounds to believe that the data is in the hands of unauthorized persons.
3. Taken altogether, there is a likelihood of a real risk of serious harm to the data subject. (Which must be demonstrable)

But it doesn’t mean Sen Gordon’s team is off the hook. They still need to conduct a proper internal investigation. They still need to keep the records of the incident, preserving evidence and contacting law enforcement.

MB Security Team:

Manila Bulletin’s security team did note that the HTML files running in the github.io was using an NGROK.io account. This could be a lead to the true identities of the Pinoy Vendetta group.

Also as a best practice for the security community, Manila Bulletin immediately informed NPC and Comelec about the breach. We have also alerted Sen Gordon’s camp about the hacker’s successful exploits and that they need to change all their system and root passwords to ensure that succeeding attacks would fail. We also delayed publishing this to give Sen Gordon’s camp time to change the passwords to their website.