PowerPoint Presentation

[Virtual Presenter] We are discussing a critical report from the Information Technology Services Department about compromised email accounts. The report presents the findings and actions taken to resolve this security issue. Let's examine the specifics..

[Audio] The references used in this report include a Facebook post by the Philippines Exodus Security on 13 February 2025, which provides evidence of alleged users/stakeholders' credential leakage involving the Philippine Charity Sweepstakes Office. An email from the DICT National Computer Emergency Response Team with a subject line indicating a breach reporting procedure under the Data Privacy Act of 2012 also supports this claim. Furthermore, two cybersecurity incident case reports dated 13 and 14 February 2025 offer additional evidence of this alleged breach..

[Audio] On February 13, 2025, an entity named Philippine Exodus Security posted on its Facebook page pictures of SuperLotto 6/49 tickets purchased in an outlet in Quezon Province, identified by the agency number on the ticket. The post also featured a woman holding tickets and NCL Cagayan's list of participants in the "Super Ticket Para kay Super Pinay" promo in March 2022. Furthermore, an email account "_g@pcso.gov.ph" was displayed, which is believed to have been compromised. ITSD reported that the suspected compromised email was NCL Cagayan's account ncl_cagayan@yahoo.com, not the corporate email account. On the same day, the DICT National Computer Emergency Response Team (NCERT) sent an email with the subject "[TLP: AMBER + STRICT] NCERT Ticket#9301 [Allegated Users/Stakeholders' Credential Leakage - Philippine Charity Sweepstakes Office]" (Exhibit B)..

[Audio] The investigation revealed that the "_g@pcso.gov.ph" email account, initially thought to belong to the Philippine Charity Sweepstakes Office, was actually owned by the Marketing Division of the Product and Standard Development Department. On February 14th, additional findings were made, including screenshots related to two contests, "Bet on Your Best Buddy" and "Super Ticket Para Kay Super Pinay". As a result, ITSD notified the department's management and instructed all personnel to change their default passwords due to the compromised email account..

[Audio] On February 16th, we extracted all 673 email accounts from our old email servers. These accounts belonged to various groups, including job order personnel, retired employees, and non-person-specific email accounts. Unfortunately, 38 of these accounts were still using their default passwords. We monitored network activity until midnight, but no threats were detected. However, on February 17th, we discovered a potential threat originating from a PC that had been infected. This allowed a threat actor to gain unauthorized access to our network. As soon as we became aware of this incident, we immediately reformatted the affected PC..

[Audio] We did not find any information about jackpot winners upon reviewing the downloaded pictures/screenshots posted on PES Facebook. Instead, we discovered emails exchanged between branch offices and the marketing division, discussing the liquidation process and providing evidence that real people participated in the promotional activities. We also came across emails sent by applicants who took part in various contests, such as "Bet on Your Best Buddy", "FB photo collage making", and "Lotto Bucket List". The PES Facebook page is currently inaccessible, which highlights the need to stay alert against potential retaliatory actions from the hacking group..

[Audio] All 673 email accounts, as well as the old email servers hosting them, will be decommissioned to prevent any further movement from the threat actor. New Microsoft 365 accounts will be issued to the affected users, featuring enhanced security measures such as multi-factor authentication. We expect to complete this process by March 2025, prioritizing active and critical accounts, including those belonging to key departments and offices..

[Audio] Organizations are required to notify the NPC within seventy-two hours upon knowledge of or reasonable belief that a breach has occurred. This notification must be made when at least 100 individuals are affected. Furthermore, the full report of the personal data breach must be submitted within five days from notification. Failure to comply with these requirements can result in severe penalties, including imprisonment and fines ranging from PHP 500000 to PHP 1000000..

[Audio] The cybersecurity incident case report reveals that 38 email accounts were found to be using default passwords, compromising the organization's security. This finding emphasizes the significance of implementing strong password policies and educating users on secure password practices. Additionally, a potential threat was identified emanating from a PC, which was quickly resolved through immediate reformatting. This incident serves as a warning about the necessity of constant monitoring and prompt response to emerging security issues..

[Audio] The Information Technology Services Department has identified compromised email accounts and has taken immediate action to secure them. The department has also implemented additional security protocols to prevent future breaches. The compromised email accounts were found to be using default passwords, and the department has since reformed the affected PCs. The department plans to decommission the old email servers and replace them with Microsoft 365 accounts, which will include multi-factor authentication. The goal is to complete this process by March 2025, prioritizing active and critical accounts. The department urges the board to approve its measures to maintain a safe and secure email system..