DICT
Company Details
Linkedin ID:
dictgovph
Website:
Employees number:
634
Number of followers:
498,184
NAICS:
92
Industry Type:
Homepage:
dict.gov.ph
IP Addresses:
0
Company ID:
DEP_1285932
Scan Status:
In-progress
Department of Information and Communications Technology Company CyberSecurity Posture
dict.gov.ph
The Department of Information and Communications Technology is mandated by Republic Act (RA) 10844 or the DICT Act of 2015 to be the primary policy, planning, coordinating, implementing, and administrative entity of the Executive Branch of the government that will plan, develop, and promote the national ICT development agenda.
Department of Information and Communications Technology A.I CyberSecurity Scoring
DICT Risk Score (AI oriented)Between 650 and 699
DICT
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
DICT Global Score (TPRM)XXXX
DICT
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
DICT Company CyberSecurity News & History
Past Incidents
2
Attack Types
1
Department of Information and Communications Technology (DICT)
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: The DICT reported an incident involving its **eComplaints system**, a third-party service linked to the **eGov PH platform**, where over **30,000 complaint records** were allegedly exposed. The department clarified that the **eGov PH app itself was not compromised**, and the breach was isolated to the eComplaints system, which operates separately from the main infrastructure. DICT emphasized that **no personal data on the eGov platform was leaked**, as it remains encrypted and protected by cybersecurity measures. While the exact nature of the exposed records (e.g., whether they contained sensitive personal or financial details) was not confirmed, the incident raised concerns about **third-party vulnerabilities** in government digital services. DICT committed to providing updates as further verified information becomes available, reiterating its priority to safeguard citizen privacy. The incident did not result in a full-scale breach of the primary eGov PH system, but the exposure of complaint records—even if non-sensitive—could still undermine public trust in digital governance platforms.
Department of Information and Communications Technology (DICT) - Philippines
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The DICT’s **eGov ‘super app’** and its **eLGU platform**—used by **14 million Filipinos** and **924+ local government units (LGUs)**—were deployed **without signed contracts (MOAs/MOUs)** defining data protection responsibilities, breach reporting, or liability. An **internal audit (2025)** revealed **40 out of 85 eLGU-adopted LGUs had no agreements**, while **474 out of 973 iBPLS-adopted LGUs lacked complete MOAs**, exposing **unclear accountability** for data breaches. The system **collects excessive personal data upfront** (government IDs, live photos, signatures, addresses) even for basic services like viewing health centers, raising **proportionality concerns** under privacy laws. The absence of **Data Sharing Agreements (DSAs)** or formal policies leaves **no clear recourse for citizens** in case of breaches, despite **routine hacking incidents** (e.g., **19 government sites hacked in September 2025 protests**). DICT claims **no data is stored or shared** via eGovDX APIs, but **experts warn this creates legal ambiguity**, risking **COA disallowances** for irregular spending (e.g., **₱377.64M in contracts without enforceable agreements**). Former NPC officials highlight the **government’s poor track record** in breach accountability, citing unresolved cases like the **2016 Comelec hack**. The platform’s **lack of transparency** and **unmitigated risks** undermine trust in a system handling **sensitive citizen data** at scale.
DICT Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for DICT
Incidents vs Government Administration Industry Average (This Year)
Department of Information and Communications Technology has 51.52% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Department of Information and Communications Technology has 56.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types DICT vs Government Administration Industry Avg (This Year)
Department of Information and Communications Technology reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Incident History — DICT (X = Date, Y = Severity)
DICT cyber incidents detection timeline including parent company and subsidiaries
DICT Company Subsidiaries
The Department of Information and Communications Technology is mandated by Republic Act (RA) 10844 or the DICT Act of 2015 to be the primary policy, planning, coordinating, implementing, and administrative entity of the Executive Branch of the government that will plan, develop, and promote the national ICT development agenda.
Loading...
DICT Similar Companies
U.S. Department of the Treasury
The Treasury Department is the executive agency responsible for promoting economic prosperity and ensuring the financial security of the United States. The Department is responsible for a wide range of activities such as advising the President on economic and financial issues, encouraging sustainabl
IBGE
The Brazilian Institute of Geography and Statistics or IBGE (Portuguese: Instituto Brasileiro de Geografia e Estatística), is the agency responsible for statistical, geographic, cartographic, geodetic and environmental information in Brazil. The IBGE performs a national census every ten years, and t
GSA
General Services Administration (GSA) is an independent agency of the United States government established in 1949 to help manage and support the basic functioning of federal agencies. Our organization includes the Public Buildings Service (PBS), Federal Acquisition Service (FAS), and a variety of S
European Commission
The Commission represents and upholds the interests of the EU as a whole, and is independent of national governments. The European Commission prepares legislation for adoption by the Council (representing the member countries) and the Parliament (representing the citizens). It administers the budge
US Government Accountability Office
For more information about GAO, please visit www.gao.gov. General Information The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog," GAO investigates how the federal government spends taxpayer dolla
Vlaamse overheid
Bij de Vlaamse overheid geef je elke dag opnieuw het beste van jezelf, in een job die een verschil maakt in de maatschappij. Pas afgestudeerd of al een aantal jaren professionele ervaring achter de rug? Op zoek naar een job als arbeider, bediende, leidinggevende, administratief medewerker, ingenie
U.S. Department of Veterans Affairs
Welcome to the United States Department of Veterans Affairs (VA) Official LinkedIn page. We're recruiting the finest employees to care for our #Veterans. Following/engagement ≠ signify VA endorsement. This is a moderated page, meaning that all comments will be reviewed for appropriate content. Ple
Københavns Kommune
Københavns Kommune er Danmarks største arbejdsplads med ca. 45.000 medarbejdere. Vi udvikler hovedstaden og servicerer over 500.000 københavnere. Vores mål er at fastholde og udvikle København som en af verdens bedste byer at bo i – og skabe øget vækst gennem viden, innovation og beskæftigelse. Fi
Internal Revenue Service
Welcome to the Internal Revenue Service’s official LinkedIn account. Here, you will find the latest and greatest news and updates for taxpayers to help them understand and meet their tax responsibilities. Also, this is a place to learn about a meaningful career with the IRS. Check out the tabs above
.png)
DICT CyberSecurity News
November 27, 2025 11:55 AM
Cybersecurity and New Technologies | Office of Counter-Terrorism
At the Cyber challenge, 15 teams of young innovators presented solutions & received guidance from experts to develop creative ideas, ranging from P/CVE to...
November 27, 2025 10:49 AM
Cybersecurity and New Technologies | Office of Counter-Terrorism
Misuse of information and communications technologiesThere is growing concern over the misuse of information and communications technologies (ICT) by...
October 22, 2025 07:00 AM
Gov. Hobbs unveils Tucson cybersecurity center at PCC event | Arizona News
TUCSON, Ariz. (KVOA) - Arizona Gov. Katie Hobbs is set to announce a new partnership between Pima Community College (PCC) and the Arizona...
October 06, 2025 07:00 AM
BIETA: A Technology Enablement Front for China's MSS
Discover how China's Ministry of State Security (MSS) almost certainly operates BIETA and its subsidiary CIII as public fronts for...
September 07, 2025 07:04 PM
Developments in the field of information and telecommunications in the context of international security
Few technologies have been as powerful as information and communications technologies (ICTs) in reshaping ec.
August 27, 2025 11:29 PM
Thailand jointly endorses establishment of the United Nations global mechanism on cybersecurity
On 11 July 2025, Thailand, along with other United Nations Member States, endorsed the establishment of the Global Mechanism on developments in the field of...
August 07, 2025 07:00 AM
SYNERGY QUANTUM LAUNCHES SAUDI ARABIA'S BENCHMARK FULL-STACK QUANTUM CYBERSECURITY FACILITY AT THE GARAGE, BACKED BY THE MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (MCIT)
PRNewswire/ -- In a significant step supporting the Kingdom of Saudi Arabia's ambitious digital transformation agenda, Synergy Quantum,...
July 16, 2025 07:00 AM
Thailand jointly endorses establishment of the United Nations global mechanism on cybersecurity
On 11 July 2025, Thailand, along with other United Nations Member States, endorsed the establishment of the Global Mechanism on developments...
June 30, 2025 07:00 AM
Cybersecurity
The Department of Homeland Security and its components play a lead role in strengthening cybersecurity resilience across the nation and sectors.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
DICT CyberSecurity History Information
Official Website of Department of Information and Communications Technology
The official website of Department of Information and Communications Technology is https://dict.gov.ph/.
Department of Information and Communications Technology’s AI-Generated Cybersecurity Score
According to Rankiteo, Department of Information and Communications Technology’s AI-generated cybersecurity score is 698, reflecting their Weak security posture.
How many security badges does Department of Information and Communications Technology’ have ?
According to Rankiteo, Department of Information and Communications Technology currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Department of Information and Communications Technology have SOC 2 Type 1 certification ?
According to Rankiteo, Department of Information and Communications Technology is not certified under SOC 2 Type 1.
Does Department of Information and Communications Technology have SOC 2 Type 2 certification ?
According to Rankiteo, Department of Information and Communications Technology does not hold a SOC 2 Type 2 certification.
Does Department of Information and Communications Technology comply with GDPR ?
According to Rankiteo, Department of Information and Communications Technology is not listed as GDPR compliant.
Does Department of Information and Communications Technology have PCI DSS certification ?
According to Rankiteo, Department of Information and Communications Technology does not currently maintain PCI DSS compliance.
Does Department of Information and Communications Technology comply with HIPAA ?
According to Rankiteo, Department of Information and Communications Technology is not compliant with HIPAA regulations.
Does Department of Information and Communications Technology have ISO 27001 certification ?
According to Rankiteo,Department of Information and Communications Technology is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Department of Information and Communications Technology
Department of Information and Communications Technology operates primarily in the Government Administration industry.
Number of Employees at Department of Information and Communications Technology
Department of Information and Communications Technology employs approximately 634 people worldwide.
Subsidiaries Owned by Department of Information and Communications Technology
Department of Information and Communications Technology presently has no subsidiaries across any sectors.
Department of Information and Communications Technology’s LinkedIn Followers
Department of Information and Communications Technology’s official LinkedIn profile has approximately 498,184 followers.
NAICS Classification of Department of Information and Communications Technology
Department of Information and Communications Technology is classified under the NAICS code 92, which corresponds to Public Administration.
Department of Information and Communications Technology’s Presence on Crunchbase
No, Department of Information and Communications Technology does not have a profile on Crunchbase.
Department of Information and Communications Technology’s Presence on LinkedIn
Yes, Department of Information and Communications Technology maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/dictgovph.
Cybersecurity Incidents Involving Department of Information and Communications Technology
As of December 04, 2025, Rankiteo reports that Department of Information and Communications Technology has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Department of Information and Communications Technology has an estimated 11,337 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Department of Information and Communications Technology ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Department of Information and Communications Technology detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (public statement issued), and communication strategy with public denial of egov ph breach; clarification on isolated ecomplaints system incident; commitment to updates., and incident response plan activated with no (per audit findings; no clear protocols), and law enforcement notified with no (npc would investigate post-breach, per dict), and remediation measures with dict claims audit issue 'resolved' with internal audit service (no details provided), remediation measures with plan of action demanded by audit (due 09 june 2025), and communication strategy with dict undersecretary david almirol jr. defended rollout in media interviews, communication strategy with no public advisory issued to users about risks..
Incident Details
Can you provide details on each incident ?
Title: Potential Data Exposure in DICT's eComplaints System (Isolated from eGov PH Platform)
Description: The Department of Information and Communications Technology (DICT) denied reports of a data breach on its **eGov PH platform**, clarifying that the incident was isolated to the **eComplaints system**, a third-party service integrated with eGov PH. The eComplaints system is managed separately from the app’s main infrastructure. DICT stated there is **no evidence of a data breach within the eGov PH App**, and all personal information on the platform remains **secure, encrypted, and protected by cybersecurity protocols**. The department emphasized that safeguarding citizen privacy is its highest priority and will release updates as more verified information becomes available.
Type: Data Exposure (Disputed Breach)
Title: DICT Internal Audit Reveals 'Significant Non-Compliance' in eGov eLGU Platform Rollout Without Contracts
Description: A 2025 internal audit by the Department of Information and Communications Technology (DICT) in the Philippines uncovered that the eGov 'super app' and its eLGU (electronic Local Government Unit) platform were deployed nationwide without signed contracts (MOAs/MOUs) with LGUs. These contracts are critical for defining data protection responsibilities, breach reporting, and accountability. The audit highlights 'significant non-compliance' and 'unclear liability' risks, especially as the platform collects excessive personal data (e.g., government IDs, live photos, signatures) from 14 million users—even for basic services like viewing health center locations. The absence of agreements also raises concerns about cybersecurity vulnerabilities, regulatory compliance (e.g., Data Privacy Act), and potential financial/legal repercussions. Former National Privacy Commission (NPC) officials warn of systemic risks, including difficulty assigning blame in breach scenarios, while DICT Undersecretary David Almirol Jr. defends the rollout under the Ease of Doing Business law (RA 11032), claiming contracts are unnecessary.
Date Detected: 2025
Date Publicly Disclosed: 2025-06-05
Type: Data Privacy Violation
Vulnerability Exploited: Lack of Data Processing Agreements (DPAs/DSAs)Absence of Memoranda of Agreement (MOAs) with LGUsUnclear Accountability FrameworksOvercollection of Personal DataWeak Cybersecurity Safeguards in Government Systems
Motivation: Rapid Deployment Under Ease of Doing Business Law (RA 11032)Avoidance of 'Red Tape' (per ARTA advice)Centralization of Government Services
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Systems Affected: eComplaints system (third-party service)
Brand Reputation Impact: Potential (due to disputed breach claims)
Incident : Data Privacy Violation DIC2762527111925
Data Compromised: Government ids (e.g., driver’s license, passport), Live photos, Full names, Birthdates, Addresses, Signatures, Phone numbers, Emails, Gender, Passport details (for etravel)
Systems Affected: eGov PH Super AppeLGU Platform (924+ LGUs onboarded as of Oct 2025)Single Sign-On (SSO) SystemEGovDX Data Exchange APIsiBPLS (Integrated Business Permits and Licensing System)
Operational Impact: Unclear liability for data breachesPotential COA (Commission on Audit) disallowancesRisk of 'irregular' budget usageLack of breach notification protocolsDifficulty in assigning accountability for cybersecurity incidents
Brand Reputation Impact: Erosion of public trust in eGov platformPerception of government negligence in data protectionPotential backlash from 14M+ users
Legal Liabilities: Violation of Data Privacy Act (Philippines)Potential NPC (National Privacy Commission) penaltiesLack of legal recourse for affected citizensRisk of lawsuits from data subjects
Identity Theft Risk: High (due to excessive collection of PII without safeguards)
Payment Information Risk: Moderate (eTravel requires passport details)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (Pii), Biometric Data (Live Photos, Signatures), Government-Issued Ids, Contact Information and .
Which entities were affected by each incident ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Entity Name: Department of Information and Communications Technology (DICT)
Entity Type: Government Agency
Industry: Public Sector / ICT
Location: Philippines
Incident : Data Privacy Violation DIC2762527111925
Entity Name: Department of Information and Communications Technology (DICT)
Entity Type: Government Agency
Industry: Public Administration
Location: Philippines
Customers Affected: 14,000,000 (eGov app users as of July 2025)
Incident : Data Privacy Violation DIC2762527111925
Entity Name: eGov PH Super App
Entity Type: Digital Platform
Industry: E-Government
Location: Philippines
Customers Affected: 14,000,000
Incident : Data Privacy Violation DIC2762527111925
Entity Name: eLGU Platform
Entity Type: Digital Service
Industry: Local Government
Location: Philippines (924+ LGUs)
Incident : Data Privacy Violation DIC2762527111925
Entity Name: Local Government Units (LGUs) Using eLGU
Entity Type: Government Entities
Industry: Public Services
Location: Philippines (e.g., Quezon City, Pateros, Laoag, Pinili, Cauayan, San Pablo City, Bulacan, Calapan, Odiongan)
Size: 924+ LGUs (as of Oct 2025)
Incident : Data Privacy Violation DIC2762527111925
Entity Name: PhilHealth
Entity Type: Government Agency
Industry: Healthcare
Location: Philippines
Incident : Data Privacy Violation DIC2762527111925
Entity Name: PAG-IBIG Fund
Entity Type: Government Agency
Industry: Housing/Finance
Location: Philippines
Incident : Data Privacy Violation DIC2762527111925
Entity Name: Bureau of Internal Revenue (BIR)
Entity Type: Government Agency
Industry: Taxation
Location: Philippines
Incident : Data Privacy Violation DIC2762527111925
Entity Name: Social Security System (SSS)
Entity Type: Government Agency
Industry: Social Insurance
Location: Philippines
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Incident Response Plan Activated: Yes (public statement issued)
Communication Strategy: Public denial of eGov PH breach; clarification on isolated eComplaints system incident; commitment to updates.
Incident : Data Privacy Violation DIC2762527111925
Incident Response Plan Activated: No (per audit findings; no clear protocols)
Law Enforcement Notified: No (NPC would investigate post-breach, per DICT)
Remediation Measures: DICT claims audit issue 'resolved' with Internal Audit Service (no details provided)Plan of action demanded by audit (due 09 June 2025)
Communication Strategy: DICT Undersecretary David Almirol Jr. defended rollout in media interviewsNo public advisory issued to users about risks
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (public statement issued), No (per audit findings; no clear protocols).
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Data Encryption: Confirmed (for eGov PH platform data)
Incident : Data Privacy Violation DIC2762527111925
Type of Data Compromised: Personally identifiable information (pii), Biometric data (live photos, signatures), Government-issued ids, Contact information
Sensitivity of Data: High (includes IDs, biometrics, and passport details)
Personally Identifiable Information: Yes (extensive)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: DICT claims audit issue 'resolved' with Internal Audit Service (no details provided), Plan of action demanded by audit (due 09 June 2025), .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Privacy Violation DIC2762527111925
Regulations Violated: Data Privacy Act of 2012 (Philippines), Potential COA (Commission on Audit) financial regulations, NPC (National Privacy Commission) guidelines on data sharing,
Regulatory Notifications: NPC would investigate post-breach (per DICT)Audit demanded corrective action by 09 June 2025
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Privacy Violation DIC2762527111925
Lessons Learned: Lack of contracts creates 'unclear liability' and accountability gaps, Excessive data collection without proportionality undermines trust, Ease of Doing Business mandates should not override data protection, API-based data exchanges require explicit safeguards, Post-breach investigations are insufficient without preventive agreements
What recommendations were made to prevent future incidents ?
Incident : Data Privacy Violation DIC2762527111925
Recommendations: Execute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIsExecute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Conduct proportionality assessments for data collection, Establish clear breach notification protocols, Publish transparent policies on data handling for users, Align with NPC guidelines and international best practices (e.g., GDPR principles), Address COA risks to avoid budget disallowances, Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIs
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Lack of contracts creates 'unclear liability' and accountability gaps,Excessive data collection without proportionality undermines trust,Ease of Doing Business mandates should not override data protection,API-based data exchanges require explicit safeguards,Post-breach investigations are insufficient without preventive agreements.
References
Where can I find more information about each incident ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Source: DICT Public Statement
Incident : Data Privacy Violation DIC2762527111925
Source: Department of Information and Communications Technology (DICT) Internal Audit (2025)
Date Accessed: 2025
Incident : Data Privacy Violation DIC2762527111925
Source: Ease of Doing Business Law (RA 11032)
Incident : Data Privacy Violation DIC2762527111925
Source: Data Privacy Act of 2012 (Philippines)
Incident : Data Privacy Violation DIC2762527111925
Source: Joint Memorandum Circular (ARTA, DICT, DILG, DTI; April 2021)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: DICT Public Statement, and Source: RapplerUrl: https://www.rappler.comDate Accessed: 2025, and Source: Department of Information and Communications Technology (DICT) Internal Audit (2025)Date Accessed: 2025, and Source: Ease of Doing Business Law (RA 11032), and Source: Data Privacy Act of 2012 (Philippines), and Source: Joint Memorandum Circular (ARTA, DICT, DILG, DTI; April 2021).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Investigation Status: Ongoing (awaiting further verified information)
Incident : Data Privacy Violation DIC2762527111925
Investigation Status: Ongoing (NPC would investigate post-breach; DICT audit unresolved)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public denial of eGov PH breach; clarification on isolated eComplaints system incident; commitment to updates., Dict Undersecretary David Almirol Jr. Defended Rollout In Media Interviews and No Public Advisory Issued To Users About Risks.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Exposure (Disputed Breach) DIC3833538092225
Stakeholder Advisories: Priority on citizen privacy; updates to be released as information is verified.
Customer Advisories: Assurance that eGov PH platform data remains secure and encrypted.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Priority on citizen privacy; updates to be released as information is verified. and Assurance that eGov PH platform data remains secure and encrypted..
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Privacy Violation DIC2762527111925
Root Causes: Absence Of Enforceable Contracts (Moas/Mous) With Lgus, Overreliance On Arta’S 'Red Tape' Exemption Under Ra 11032, Lack Of Data Processing Agreements (Dpas/Dsas), Unclear Delineation Of Data Controller/Processor Roles, Excessive Data Collection Without Legal Basis Or Proportionality, Weak Cybersecurity Governance In Egovdx Api Integrations, Failure To Adopt Npc’S 2020 Circular On Data Sharing Transparency,
Corrective Actions: Dict Claims Audit Findings Are 'Resolved' (No Evidence Provided), Plan Of Action Due By 09 June 2025 (Status Unknown), Potential Coa Disallowances Pending,
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Dict Claims Audit Findings Are 'Resolved' (No Evidence Provided), Plan Of Action Due By 09 June 2025 (Status Unknown), Potential Coa Disallowances Pending, .
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-06-05.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Government IDs (e.g., driver’s license, passport), Live photos, Full names, Birthdates, Addresses, Signatures, Phone numbers, Emails, Gender, Passport details (for eTravel) and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was eComplaints system (third-party service) and eGov PH Super AppeLGU Platform (924+ LGUs onboarded as of Oct 2025)Single Sign-On (SSO) SystemEGovDX Data Exchange APIsiBPLS (Integrated Business Permits and Licensing System).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Live photos, Addresses, Birthdates, Full names, Signatures, Gender, Passport details (for eTravel), Phone numbers, Government IDs (e.g., driver’s license, passport) and Emails.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Post-breach investigations are insufficient without preventive agreements.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Execute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Publish transparent policies on data handling for users, Address COA risks to avoid budget disallowances, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs), Align with NPC guidelines and international best practices (e.g., GDPR principles), Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIs, Establish clear breach notification protocols and Conduct proportionality assessments for data collection.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Rappler, Joint Memorandum Circular (ARTA, DICT, DILG, DTI; April 2021), DICT Public Statement, Data Privacy Act of 2012 (Philippines), Ease of Doing Business Law (RA 11032) and Department of Information and Communications Technology (DICT) Internal Audit (2025).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.rappler.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (awaiting further verified information).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Priority on citizen privacy; updates to be released as information is verified., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Assurance that eGov PH platform data remains secure and encrypted.
.png)
Latest Global CVEs (Not Company-Specific)
Description
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Risk Information
cvss3
Base: 6.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.
Description
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.
Description
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Risk Information
cvss4
Base: 9.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Risk Information
cvss4
Base: 5.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=dictgovph' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
