A data store belonging to The Solicitor General of the Philippines containing 345,000 files and documents was downloaded by a third party, with the information left available on the web, according to cyber security company TurgenSec.

”This data breach is particularly alarming as it is clear that this data is of governmental sensitivity and could impact on-going prosecutions and national security,” the UK firm said.

“An unknown third party has this data and it is likely now in the hands of malicious actors who could do considerable damage with it if mitigation steps are not taken.

“We encourage The Solicitor General of the Philippines to submit the breached data to digital forensics specialists to ascertain the extent of this data breach and whether any file’s integrity was compromised.

“We also encourage them to publicly outline the extent of the information exposed and breached, and what steps are being taken to ensure this cannot happen again.” 

The leak includes documents generated in the day-to-day running of The Solicitor General’s office (OSG), staff training documents, internal passwords and policies, staff payment data, information on financial processes, and activities including audits, as well as several hundred files titled with the keywords ‘Private’, ‘Confidential’, ‘Witness’, ‘Password’ and ‘Security’, said TurgenSec.

Topics include rape (774 documents), execution (437), drug (271), child (143), abuse (123) and terrorism/terrorist (30). 

The company said it emailed The Solicitor General and Philippine government on 1 and 24 March, but received no reply. “The breach was closed by the 28th of April, presumably using information provided by TurgenSec,” the company added.

Solicitor General Jose Calida has vowed to “run after” those who accessed his office’s confidential files, local media reported.

“In upholding its role as the principal law officer and legal defender of the government of the republic of the Philippines, the country can rest assures that these crimes against data privacy committed upon the state and its clients shall not go unpunished, and that the perpetrators thereof shall be prosecuted to the fullest extent of the law,” the OSG said.

“TurgenSec was unable to confirm whether anyone else had accessed or downloaded the supposedly leaked data,” it added.

“While the OSG notes the responsible disclosure procedure of TurgenSec, the OSG must still be wary of unverified reports sent to its office and shall respond appropriately only after a proper verification has been undertaken as to the accuracy and veracity of these alleged data breaches.”

The office also said: “All necessary steps have been put in place in order the protect the confidential and sensitive information contained in its submissions before the courts of justice.”

Register to receive the latest cyber security news and analysis straight to your inbox