Business establishments transacting business with the Catanduanes State University were surprised to learn last week that their data had been exposed in an attack by unidentified hackers on the university’s computerized accounting system in July 2024.
In the first such attack by computer hackers on any government or private institution in the island, the data breach possibly involved the date of more than 500 permanent and temporary university officials and employees as well as scores of suppliers and service contractors.
In a letter expressing regret to the affected companies, CatSU’s Breach Response Team specified which data or information were exposed in the breach of the system.
“Per out initial investigation, the Electronic New Government Accounting System (eNGAS) was attacked by ransomware on July 24, 2024, which was discovered on July 26, 2024,” the team stated.
“The system is currently inaccessible and the data therein was encrypted,” it added. “Your data in the system may be used by the unauthorized persons who hacked the system.”
The Tribune sent an email to the university’s Data Protection Officer for more information about the incident, especially the extent of the data breach and who were affected but no response has been received as of press time.
According to IBM, ransomware is a type of malware that holds a victim’s sensitive data or device hostage, threatening to keep it locked—or worse—unless the victim pays a ransom to the attacker.
While earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device, such attacks have evolved in recent years to include double-extortion and triple-extortion tactics that raise the stakes considerably.
Double-extortion attacks add the threat of stealing the victim’s data and leaking it online, the company said, while in triple-extortion attacks, the stolen data is used to attack the victim’s customers or business partners.
The CatSU team did not disclose if the unknown suspects demanded a ransom for the stolen data.
The enhanced eNGAS software was developed by information technology (IT) experts from the Commission on Audit (COA) for use in the submission of financial reports required by the Department of Budget Management (DBM), COA and Department of Finance-Bureau of Treasury (DOF-BTr) from government agencies.
Addressing the concerns about the data breach, the CatSU team informed that it has undertaken measures to address the situation and reduce the harm or negative consequences of the breach.
“We have already isolated the system from the campus network and is undergoing reinstallation of the system,” it said, adding that the university has back-up files of the personal information of those affected and these will be reuploaded into the system.
It likewise disclosed that it had scanned and installed antivirus with ransomware protection in the computer units using the Engas.
The incident has already been reported to the Department of Information and Communications Technology (DICT) Cybersecurity Bureau for forensic investigation and recommendations.
“We are coordinating with the cybersecurity unit of our law enforcement authorities for the investigation, identification and arrest of the perpetrators,” the Breach Response Team bared.
It likewise assured that the university is committed to resolving the issue promptly and strengthening its cybersecurity measures to prevent future incidents.
A check with the DICT provincial office elicited the response that the cybersecurity bureau’s National Computer Emergency Response Team has already provided assistance to the university.
An official of the Catanduanes Provincial Police Office confirmed that personnel of the cybercrime unit headed by PSSg Daisy Jane Balmadrid have already visited the university regarding the matter.
According to the COA, the eNGAS is designed with several security features to ensure the integrity and confidentiality of financial data, thus ensuring that the system remains a secure platform for managing government financial transactions
Among its key aspects include: User Authentication, which requires users to log in with unique credentials, ensuring that only authorized personnel can access the system; Access Control, with different levels of access granted based on user roles, limiting the ability to view or modify data to those with the appropriate permissions; Data Encryption, in which sensitive data is encrypted to protect it from unauthorized access and breaches; Audit Trails, in which detailed logs of all transactions and changes are maintained to allow thorough auditing and tracking of activities; and Regular Updates through security patches and updates to address vulnerabilities and enhance protection.
A ranking official of the COA provincial office told the Tribune that he has not heard of a similar hacking incident affecting eNGAS software installed in other government agencies.