Cyber Incident Victim: Philippine Statistics Authority

On October 7, 2023, a social media post by an unidentified actor alleged a data leak involving a system managed by the Philippine Statistics Authority (PSA). The PSA activated its Data Breach Response Team (DBRT) on the same day and initiated an investigation into the claims. The agency coordinated with multiple government entities including the Compliance and Monitoring Division of the National Privacy Commission (NPC), the National Computer Emergency Response Team-Philippines (NCERT-PH) under the Department of Information and Communications Technology (DICT), and the Anti-Cybercrime Group of the Philippine National Police (PNP). Initial assessments indicated the Community-Based Monitoring System (CBMS) was the primary system affected, though investigations remained ongoing to determine the scope of compromised personal data. The PSA emphasized that its Philippine Identification System (PhilSys) and Civil Registration System (CRS) remained unaffected by the incident. As a precautionary measure, the agency isolated and shut down the CBMS system to prevent further unauthorized access.

The PSA issued a public warning on October 11, 2023, advising against interacting with social media posts containing alleged sample data due to embedded malware links that could facilitate cybercrime. The agency condemned the breach and committed to collaborating with law enforcement to identify and apprehend the perpetrators. While no specifics about compromised data volumes or affected individuals were disclosed, the PSA stated it would share further details with authorities and the public upon completing its assessment. Containment efforts included reinforcing technical, organizational, and physical security measures across all PSA-managed systems. The agency maintained its focus on safeguarding data confidentiality and system integrity amid ongoing investigations and remediation activities.