For at least two months, some 345,000 sensitive court documents from the Office of the Solicitor General of the Philippines related to ongoing legal cases were made publicly available online and could have been accessed by anyone who knew where to look, according to the U.K. security company TurgenSec, which identified the data exposure. The firm says that the documents — whose names contained hundreds of instances of words like “rape,” “execution,” and “trafficking” — had been removed as of April 28, but some are still cached by Google’s search engine and can be found on the open web.
“It’s not like a traditional data breach that we disclose,” said a spokesperson for TurgenSec. “This one caught our eye because it seems that it might have broader ramifications.”
The spokesperson said they worried that information in the documents could affect ongoing court cases and might be used to identify witnesses or attempt to intimidate victims. The Solicitor General’s office is responsible for representing the government in any litigation that goes before the Philippine Supreme Court or Court of Appeals.
TurgenSec was alerted to the data exposure in February by a third-party whistleblower who downloaded the files and sent them to the security firm for examination. TurgenSec was unable to confirm whether anyone else had accessed or downloaded the data, but the spokesperson noted that it wouldn’t have been difficult for a state actor or open source investigator to do so. As part of a “responsible disclosure” procedure, the company reached out to the Solicitor General’s office twice in an attempt to alert them to the breach but received no response.
It’s not clear why the Philippine Solicitor General’s office and Department of Justice did not respond to TurgenSec, or why the documents were made private only recently. Rest of World reached out to the Philippine Department of Justice, which acknowledged the message but did not comment in time for publication. The website for the Solicitor General’s office was also hacked last December.
TurgenSec, which also runs Breaches.uk, a website that tracks data breaches, said that it chose not to sift through each document, in order to protect the privacy of the individuals named in them. But a keyword search suggests the files contain delicate information that should be kept private. The names of the documents mention the word “rape” 774 times, “trafficking” 135 times, and “execution,” 437 times. Terms like “terrorist” or “terrorism” also appear in numerous instances, along with other words, such as “private,” “confidential,” “password,” “witness,” and “Duterte,” referring to Philippine President Rodrigo Duterte.
According to the TurgenSec spokesperson, the data wound up on the open web because of a misconfigured server, or when an administrator accidentally sets a set of documents to “public” rather than “private.”
“The fix takes literally 20 seconds,” said the TurgenSec spokesperson. “They should just be taking these really basic steps to protect their data.” Misconfigured servers are an extremely common mistake: In 2017, World Wrestling Entertainment made a similar error, exposing data from millions of its fans. Last year, TurgenSec also discovered that Virgin Media accidentally left a database public that linked a number of customers to pornography and other explicit websites.
The Philippine government has had trouble protecting the data of its citizens, even beyond the December breach. In 2016, a major breach of the Philippine Commission on Elections exposed information belonging to more than 55 million voters. When the Solicitor General’s website was hacked late last year, the culprits posted a message on the homepage reading “Stop blackmailing the NTC (National Telecommunications Commission)! Give ABS-CBN provisional authority!” according to the Philippine newspaper The Inquirer. The incident happened after the Solicitor General moved to revoke the broadcasting license for the television news broadcaster ABS-CBN, which has been critical of the Duterte administration. (The station lost the bid to renew its license in July of 2020, but its digital channels remain operational.)
“I wouldn’t be surprised if [the people responsible for defacing the Solicitor General’s website] hacked it using information from this data breach, which seems to have been public for quite a while,” said the TurgenSec spokesperson. “It has a bunch of plain-text passwords in there, along with other stuff that should not be public facing.”