ADMINISTRATORS of Camarines Sur Polytechnic Colleges got “bothered” when the college’s official website could not be accessed, only to find out later that visitors were redirected to pornographic sites.
“The firewall is not so strong to filter kaya napasok kami,” Rey Cortez, director of the school’s information and communication technology management, told the Varsitarian.
The Camarines Sur institution, which has a student population of about 4,000 on its campus in the first-class municipality of Nabua, never knew the perpetrators. None of the sensitive data from stakeholders, though, was compromised because the attack only centered on the website’s index that transferred users to malicious sites.
The incident is already four years old, and the school was not alone when cybercriminals unleashed a torrent of attacks against nearly 30 websites of higher educational institutions (HEIs) back in June 2020.
Nine HEIs, including De La Salle University, Far Eastern University and San Beda University, suffered sensitive data leaks from their student portals – masterminded by a group of hackers called Pinoy Grayhats, infamous for divulging personal information online.
After the cyberattack, the Camarines Sur school sketched a 10-year development plan to improve its digital infrastructure, with more funds to purchase necessary software and equipment.
“Sa ngayon, maybe kasi habang tinataasan kasi natin ‘yong security, siyempre ‘yong attacks din natin is mas malakas din,” Cortez said. “’Yong ginawa namin is mayroon na kaming tinatawag na on-premise, saka nakacloud-base or mayroon pa rin kaming backup sa ibang lugar to protect cybersecurity.”
From the get-go, institutions easily fall victim to cyberattacks because investing in cybersecurity has not been a priority.
Software giant Cisco found in April that only one percent of Philippine companies were mature enough to repel cyberattacks, as 64 percent were still in the process of building up their digital defenses.
Poor investments have left the Philippines one of the most attacked countries in the online hemisphere.
The Department of Information and Communications Technology (DICT) reported in April 2023 that the country ranked fourth in the world with the highest incidents of cyberattacks, most of which were targeted against the government.
The situation gets trickier as new tools are being developed to execute more vicious cyberattacks. Global technology company IBM revealed this year that cybercriminals target valid accounts to commit credential theft, reconnaissance, remote access and data exfiltration.
For its part, the National Privacy Commission (NPC) – an agency created under the Data Privacy Act of 2012 – has been focused on empowering online users to protect their data from cybercriminals.
“The NPC, through education campaigns in different social media platforms, informs data subjects on what to do before, during, and after data breaches,” the agency told the Varsitarian in a letter responding to questions. “The campaigns aim to empower the data subjects to fortify their resilience in an ever-changing cybersecurity landscape.”
UST, through its Educational Technology Center, did not answer questions from the Varsitarian on cybersecurity investments.
In November 2023, the Office of Information and Communication Technology launched a series of seminars called “Project GROWL (Growing Resilience to Online Threats and Weaving Cybersecurity into Learning)” as a collective response of the University to evolving challenges in the internet.
Less trust
“Project GROWL” was born weeks after the De La Salle University suffered a “data security incident” that paralyzed its online services, including its official website, the My.LaSalle and Animo.Sys portals.
La Salle admitted in October 2023 that on-premise-hosted applications were affected, but sensitive data and cloud-hosted applications remained “intact.”
The cyberattack in a neighboring university forced UST to temporarily close its online services for “security checks and augmentation procedures.”
From the get-go, institutions easily fall victim to cyberattacks because investing in cybersecurity has not been a priority.
Frustration pervaded among some students of La Salle who questioned the university’s capacity to strengthen its cybersecurity when it cannot modify the design of the student portal that has been live since the early 2000s.
“This definitely made me trust the IT experts in the school much less than before,” La Salle applied economics sophomore Vincenzo Valente told the Varsitarian in an interview.
“Knowing how prestigious the university is, I expected the people handling the school’s cybersecurity to be top-notch. Now that their website has been hacked, it made me feel less confident about using their website, especially it being the channel that I use for paying my school fees.”
In the aftermath of the incident, La Salle required its students and faculty members to enable two-factor authentication on their official email accounts. It set up a temporary campus-wide wi-fi network.
La Salle also coordinated with the privacy commission and its partner cybersecurity company, Mandiant, to investigate the matter, according to a report by The LaSallian, the university’s official English-language student publication.
Exploitation
Pinoy Grayhats breached in 2020 the student portal of Bulacan State University (BulSU) by exploiting its outdated program coding. When administrators reached out to the group, though, it revealed its noble intentions.
“Hindi naman nila ni-leak ‘yong mga data [at] wala naman na-compromise, but they advised kung paano namin ise-secure ‘yong system,” Reynaldo Gaspar Jr., an information technology officer at BulSU, told the Varsitarian.
After the cyberattack, BulSU upgraded its digital infrastructure to strengthen defense mechanisms against future incidents.
“So, ang ginawa ng office namin, tinake-down muna, nag-offline muna ‘yong system, then nag-upgrade ng new version para mas secure siya and […] nag-subscribe na kami ng Amazon Web Services (AWS),” Gaspar said.
BulSU learned how to be proactive after its portal was attacked by preparing a standard operating procedure and regularly updating its codes.
“Hindi na namin inaantabayanan [na atakehin] kami,” Gaspar said. “Bukod kasi doon sa nag-subscribe kami sa AWS Cloud, lagi na kaming nagu-update ng aming programming na codings. We’ll make it a point na kapag may bagong technology o nag-upgrade ‘yong mga programming language ng version, magu-upgrade na rin kaagad kami.”
Vulnerable
Marvin Cereno, a teacher at the Makiling Integrated School in Calamba, Laguna, lamented the vulnerabilities pervading the online database of the Philippine Health Insurance Corp. (PhilHealth).
“The rhetoric of how can you trust an agency who fails to respect your data and privacy always enters the frame of mind,” he told the Varsitarian in an interview. “In the advent of the modern times where scammers are rampant, many Filipinos may be affected under covers.”
Medical and billing records of over 42 million PhilHealth members translating to 750 gigabytes worth of information were compromised when a hackers group called “Medusa” targeted the state-owned health insurer on Sept. 22, 2023.
A Medusa ransomware attack is a source of headache for affected companies because cybercriminals threaten to publish sensitive information unless victims pay ransom.
Hackers, for instance, demanded $10 million from a subsidiary of Toyota, the world’s largest automaker, in November 2023 after getting hold of its financial documents, internal organizational charts and account passwords.
In the case of PhilHealth, the health insurer stood its ground by ignoring Medusa’s demand to pay P16 million.
Why did the hackers easily invade such a sensitive database like PhilHealth’s? Executive Vice President Eli Santos said it failed to renew its license for an anti-virus software after it expired in April 2023, citing “procurement issues.”
The PhilHealth breach marked the beginning of a series of cybersecurity incidents among government institutions, including the House of Representatives, the Philippine National Police, the Department of Science and Technology and the Philippine Statistics Authority (PSA).
Authorities suspected that an employee inside the PSA, the country’s repository of civil records and official statistics, with access to internal systems, exposed sensitive data.
Lawyer Eliezer Ambatali, director of PSA’s legal service, told the Varsitarian that the breach was limited to the community-based and monitoring system, a platform used by field offices for reporting.
“Naka-bypass [‘yong bad actor] doon sa firewall [at] sa may log in,” he said in an interview. “Ginamit niya ‘yon para mag-inject ng isang file that was used as a mini-shell. So, ‘yon na ‘yong gate niya doon sa system, which leads to the infiltration of the storage facility.”
The director recognized that some Filipinos would perceive the incident as a serious cybersecurity matter, but he assured citizens that measures were in place to protect sensitive information at the PSA’s disposal.
“Siguro, ‘yong vulnerability na ‘yon was not checked during the launch ng system, or hindi namin siya agad-agad na na-recognize [as] a vulnerability na naging paraan para i-take advantage ng bad actor,” Ambatali stressed. “Kaya right now, since this happened, it’s a learning experience that we check all our boxes.”
What now?
The government’s National Cybersecurity Plan for 2028 – a 45-page report adopted in February that outlines measures to ensure a “trusted, secure and reliable cyberspace for every Filipino” – admitted that all sectors have failed to pour enough resources to strengthen cybersecurity.
“The public and private sectors’ adoption of cybersecurity policies is poor,” the report, prepared by the DICT, stated. “Except for exceptionally large enterprises, both government agencies and the private sector are reluctant to invest in cybersecurity. In 2017, the Philippines only spent 0.04 percent of its GDP (gross domestic product) in cybersecurity, while the ASEAN (Association of Southeast Asian Nations) average spending was 0.07 percent of its GDP.”
The DICT recommended an array of investments to prevent and repel serious data breaches and hackings, which include:
- establishment of a nationwide command center to handle cybersecurity incidents;
- development of a threat database;
- partnership with online platforms for proper handling of misinformation cases;
- protection of broadband network and submarine cable infrastructure; and
- introduction of partial and full scholarships for students to enroll in cybersecurity-related academic programs.
Asia Pacific, including the Philippines, has spent a whopping $7 billion at the minimum to upgrade its digital infrastructure in the face of relentless attacks, based on data from the International Data Corp. That figure is expected to rise to $52 billion come 2027.
More cybersecurity professionals are needed to meet the industry’s demands. Only 202 individuals, as of 2021, hold Certified Information Systems Security Professional certifications. The country is in search of 180,000 more, according to the National Association of Data Protection Officers of the Philippines.