The Department of Public Works and Highways (DPWH) in the Philippines faces a dual crisis: an alleged data leak by an underground forum handle *‘KANLAON’* claiming exposure of 231,761 document lines and 32,125 API entries, including credentials, emails, addresses, and database artifacts potentially linked to ₱306M ‘ghost’ flood-control projects in Negros. While the leak remains unverified, it poses risks of phishing, identity theft, and fraud targeting citizens, employees, and contractors. Separately, confirmed investigations reveal systemic corruption, with DPWH’s former chief acknowledging ghost projects in Bulacan, Senate probes, and executive actions including an independent investigative body and sanctions against erring contractors. Operational lapses, such as a DPWH engineer admitting failure to inspect projects, underscore governance failures. The leak, if validated, could exacerbate reputational damage, financial fraud, and public distrust, while the ghost projects alone demand accountability reforms. The situation highlights vulnerabilities in public-sector cybersecurity and procurement integrity.
TPRM report: https://www.rankiteo.com/company/dpwh
"id": "dpw4693146091025",
"linkid": "dpwh",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Public Infrastructure',
'location': 'Philippines',
'name': 'Department of Public Works and Highways '
'(DPWH)',
'type': 'Government Agency'},
{'location': 'Philippines',
'name': 'Citizens and Employees (Potential)',
'type': 'Individuals'},
{'industry': 'Construction',
'location': 'Philippines (Bulacan, Negros)',
'name': 'Contractors (Errings)',
'type': 'Private Sector'}],
'customer_advisories': ['Enable MFA and avoid reusing passwords.',
'Ignore unsolicited messages referencing DPWH or '
'flood-control projects.'],
'data_breach': {'data_exfiltration': 'Alleged',
'number_of_records_exposed': {'api_entries': '32,125 '
'(Claimed)',
'document_lines': '231,761 '
'(Claimed)'},
'personally_identifiable_information': ['Emails',
'Addresses (Claimed)'],
'sensitivity_of_data': 'High (if validated)',
'type_of_data_compromised': ['Credentials',
'Emails',
'Addresses',
'Database Artifacts (Claimed)']},
'description': "An underground forum user 'KANLAON' claimed a leak of 231,761 "
'document lines and 32,125 API entries from the Department of '
'Public Works and Highways (DPWH). The claim remains '
"unverified, but separate investigations into 'ghost' "
'flood-control projects in Bulacan and Negros (₱306M) are '
'confirmed and ongoing. The leak, if validated, could expose '
'credentials, emails, addresses, and database artifacts, '
'posing risks of phishing, identity theft, and fraud. The '
'Philippine government has initiated probes, including an '
'independent body by the President and sanctions by the new '
'DPWH chief, Vince Dizon. Operational lapses, such as '
'uninspected projects, have been acknowledged.',
'impact': {'brand_reputation_impact': ['Public Distrust',
'Media Scrutiny',
'Government Probes'],
'data_compromised': {'claimed': ['Credentials',
'Emails',
'Addresses',
'Database Artifacts'],
'verified': None},
'financial_loss': {'ghost_projects': '₱306M (Negros)',
'potential_fraud': None},
'identity_theft_risk': 'High (if leak validated)',
'legal_liabilities': ['Potential Fines',
'Contractor Liability',
'Regulatory Violations (if data leak '
'confirmed)'],
'operational_impact': ['Oversight Failures',
'Uninspected Projects',
'Contractor Sanctions']},
'initial_access_broker': {'data_sold_on_dark_web': 'Alleged (Unverified)',
'high_value_targets': ['DPWH Databases (Claimed)',
'Contractor Ecosystem']},
'investigation_status': {'data_leak': 'Alleged (Unverified)',
'ghost_projects': 'Confirmed (Ongoing Probes by '
'Senate and Executive Branch)',
'operational_lapses': 'Confirmed (Acknowledged by '
'DPWH)'},
'lessons_learned': ['Underground claims require forensic validation before '
'public response.',
'Operational lapses (e.g., uninspected projects) '
'exacerbate fraud risks.',
'High-profile probes attract threat actors exploiting '
'headlines for social engineering.'],
'motivation': ['Financial Gain (Alleged)',
'Activism/Hacktivism (Possible)',
'Reputation Damage (Possible)'],
'post_incident_analysis': {'corrective_actions': ['Strengthen contractor '
'oversight and sanctions '
'(DPWH).',
'Independent probe into '
'flood-control anomalies '
'(President).',
'Public/private sector '
'coordination for leak '
'validation.'],
'root_causes': ['Lack of project inspections '
'(operational lapse)',
'Potential insider threats or '
'third-party breaches (if leak '
'validated)',
'Weak credential hygiene '
'(hypothetical)']},
'recommendations': [{'for_organizations': ['Rotate high-privilege credentials '
'and revoke stale tokens.',
'Enforce MFA across '
'email/CRM/admin consoles.',
'Implement DMARC to reject '
'phishing emails.',
'Validate contractor bank details '
'out-of-band.',
'Monitor for unusual API calls, '
'mass exports, and OAuth spikes.',
'Pre-draft factual statements for '
'potential brand mentions in '
'leaks.']},
{'for_individuals': ['Enable MFA for email, banking, and '
'government portals.',
'Be skeptical of '
'DPWH/flood-control-themed messages.',
'Avoid password reuse; use a '
'password manager.']}],
'references': [{'source': 'Philippine News Agency'},
{'source': 'Presidential Communications Office'},
{'source': 'iZOOlogic Analysts'}],
'regulatory_compliance': {'legal_actions': ['Senate Blue Ribbon Inquiry',
'Independent Probe by President']},
'response': {'communication_strategy': ['Pre-Drafted Statements for Brands '
'(Recommended)',
'Public Advisories on Phishing Risks '
'(Recommended)'],
'enhanced_monitoring': ['API Calls',
'Mass Exports',
'OAuth Consents (Recommended)'],
'remediation_measures': ['Credential Rotation (Recommended)',
'MFA Enforcement (Recommended)',
'DMARC Implementation (Recommended)',
'Monitoring for Unusual API Calls '
'(Recommended)']},
'stakeholder_advisories': ['Assume threat actors will exploit probe headlines '
'for phishing.',
'Validate underground claims via controlled '
'sampling and authority coordination.'],
'threat_actor': {'handle': 'KANLAON', 'type': 'Underground Forum User'},
'title': 'Alleged DPWH Data Leak and Confirmed Ghost Flood-Control Projects '
'Investigation',
'type': ['Data Leak (Alleged)',
'Fraud (Confirmed)',
'Operational Lapse (Confirmed)']}