Department of Information and Communications Technology Company CyberSecurity Posture

dict.gov.ph
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

The Department of Information and Communications Technology is mandated by Republic Act (RA) 10844 or the DICT Act of 2015 to be the primary policy, planning, coordinating, implementing, and administrative entity of the Executive Branch of the government that will plan, develop, and promote the national ICT development agenda.

Department of Information and Communications Technology A.I CyberSecurity Scoring

DICT

Company Details

Linkedin ID:

dictgovph

Website:

https://dict.gov.ph/

Employees number:

634

Number of followers:

498,184

NAICS:

92

Industry Type:

Government Administration

Homepage:

dict.gov.ph

IP Addresses:

Scan still pending

Company ID:

DEP_1285932

Scan Status:

In-progress

AI scoreDICT Risk Score (AI oriented)

Between 650 and 699

https://images.rankiteo.com/companyimages/dictgovph.jpeg
DICT Government Administration
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscoreDICT Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/dictgovph.jpeg
DICT Government Administration
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Department of Information and Communications Technology

Weak
Current Score
698
B (Weak)
01000
2 incidents
-70.0 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

DECEMBER 2025
698
NOVEMBER 2025
697
OCTOBER 2025
697
SEPTEMBER 2025
765
Breach
22 Sep 2025 • Department of Information and Communications Technology (DICT)
Potential Data Exposure in DICT's eComplaints System (Isolated from eGov PH Platform)

The DICT reported an incident involving its **eComplaints system**, a third-party service linked to the **eGov PH platform**, where over **30,000 complaint records** were allegedly exposed. The department clarified that the **eGov PH app itself was not compromised**, and the breach was isolated to the eComplaints system, which operates separately from the main infrastructure. DICT emphasized that **no personal data on the eGov platform was leaked**, as it remains encrypted and protected by cybersecurity measures. While the exact nature of the exposed records (e.g., whether they contained sensitive personal or financial details) was not confirmed, the incident raised concerns about **third-party vulnerabilities** in government digital services. DICT committed to providing updates as further verified information becomes available, reiterating its priority to safeguard citizen privacy. The incident did not result in a full-scale breach of the primary eGov PH system, but the exposure of complaint records—even if non-sensitive—could still undermine public trust in digital governance platforms.

695
medium -70
DIC3833538092225
Incident Details -
Type
Data Exposure (Disputed Breach)
Impact
eComplaints system (third-party service) Brand Reputation Impact: Potential (due to disputed breach claims)
Response
Incident Response Plan Activated: Yes (public statement issued) Communication Strategy: Public denial of eGov PH breach; clarification on isolated eComplaints system incident; commitment to updates.
Data Breach
Data Encryption: Confirmed (for eGov PH platform data)
Investigation Status
Ongoing (awaiting further verified information)
Customer Advisories
Assurance that eGov PH platform data remains secure and encrypted.
Stakeholder Advisories
Priority on citizen privacy; updates to be released as information is verified.
References
Blog URL Source URL
AUGUST 2025
765
JULY 2025
765
JUNE 2025
764
MAY 2025
764
APRIL 2025
764
MARCH 2025
764
FEBRUARY 2025
764
JANUARY 2025
764
JUNE 2016
773
Breach
16 Jun 2016 • Department of Information and Communications Technology (DICT) - Philippines
DICT Internal Audit Reveals 'Significant Non-Compliance' in eGov eLGU Platform Rollout Without Contracts

The DICT’s **eGov ‘super app’** and its **eLGU platform**—used by **14 million Filipinos** and **924+ local government units (LGUs)**—were deployed **without signed contracts (MOAs/MOUs)** defining data protection responsibilities, breach reporting, or liability. An **internal audit (2025)** revealed **40 out of 85 eLGU-adopted LGUs had no agreements**, while **474 out of 973 iBPLS-adopted LGUs lacked complete MOAs**, exposing **unclear accountability** for data breaches. The system **collects excessive personal data upfront** (government IDs, live photos, signatures, addresses) even for basic services like viewing health centers, raising **proportionality concerns** under privacy laws. The absence of **Data Sharing Agreements (DSAs)** or formal policies leaves **no clear recourse for citizens** in case of breaches, despite **routine hacking incidents** (e.g., **19 government sites hacked in September 2025 protests**). DICT claims **no data is stored or shared** via eGovDX APIs, but **experts warn this creates legal ambiguity**, risking **COA disallowances** for irregular spending (e.g., **₱377.64M in contracts without enforceable agreements**). Former NPC officials highlight the **government’s poor track record** in breach accountability, citing unresolved cases like the **2016 Comelec hack**. The platform’s **lack of transparency** and **unmitigated risks** undermine trust in a system handling **sensitive citizen data** at scale.

702
critical -71
DIC2762527111925
Incident Details -
Type
Data Privacy Violation Regulatory Non-Compliance Governance Failure Excessive Data Collection
Vulnerability Exploited
Lack of Data Processing Agreements (DPAs/DSAs) Absence of Memoranda of Agreement (MOAs) with LGUs Unclear Accountability Frameworks Overcollection of Personal Data Weak Cybersecurity Safeguards in Government Systems
Motivation
Rapid Deployment Under Ease of Doing Business Law (RA 11032) Avoidance of 'Red Tape' (per ARTA advice) Centralization of Government Services
Impact
Government IDs (e.g., driver’s license, passport) Live photos Full names Birthdates Addresses Signatures Phone numbers Emails Gender Passport details (for eTravel) eGov PH Super App eLGU Platform (924+ LGUs onboarded as of Oct 2025) Single Sign-On (SSO) System EGovDX Data Exchange APIs iBPLS (Integrated Business Permits and Licensing System) Unclear liability for data breaches Potential COA (Commission on Audit) disallowances Risk of 'irregular' budget usage Lack of breach notification protocols Difficulty in assigning accountability for cybersecurity incidents Erosion of public trust in eGov platform Perception of government negligence in data protection Potential backlash from 14M+ users Violation of Data Privacy Act (Philippines) Potential NPC (National Privacy Commission) penalties Lack of legal recourse for affected citizens Risk of lawsuits from data subjects Identity Theft Risk: High (due to excessive collection of PII without safeguards) Payment Information Risk: Moderate (eTravel requires passport details)
Response
Incident Response Plan Activated: No (per audit findings; no clear protocols) Law Enforcement Notified: No (NPC would investigate post-breach, per DICT) DICT claims audit issue 'resolved' with Internal Audit Service (no details provided) Plan of action demanded by audit (due 09 June 2025) DICT Undersecretary David Almirol Jr. defended rollout in media interviews No public advisory issued to users about risks
Data Breach
Personally Identifiable Information (PII) Biometric Data (live photos, signatures) Government-Issued IDs Contact Information Sensitivity Of Data: High (includes IDs, biometrics, and passport details) Personally Identifiable Information: Yes (extensive)
Regulatory Compliance
Data Privacy Act of 2012 (Philippines) Potential COA (Commission on Audit) financial regulations NPC (National Privacy Commission) guidelines on data sharing NPC would investigate post-breach (per DICT) Audit demanded corrective action by 09 June 2025
Lessons Learned
Lack of contracts creates 'unclear liability' and accountability gaps Excessive data collection without proportionality undermines trust Ease of Doing Business mandates should not override data protection API-based data exchanges require explicit safeguards Post-breach investigations are insufficient without preventive agreements
Recommendations
Execute uniform MOAs/MOUs with all LGUs to define roles/responsibilities Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs) Conduct proportionality assessments for data collection Establish clear breach notification protocols Publish transparent policies on data handling for users Align with NPC guidelines and international best practices (e.g., GDPR principles) Address COA risks to avoid budget disallowances Enhance cybersecurity measures (e.g., encryption, access controls) for EGovDX APIs
Investigation Status
['Ongoing (NPC would investigate post-breach; DICT audit unresolved)']
Post Incident Analysis
Absence of enforceable contracts (MOAs/MOUs) with LGUs Overreliance on ARTA’s 'red tape' exemption under RA 11032 Lack of Data Processing Agreements (DPAs/DSAs) Unclear delineation of data controller/processor roles Excessive data collection without legal basis or proportionality Weak cybersecurity governance in EGovDX API integrations Failure to adopt NPC’s 2020 circular on data sharing transparency DICT claims audit findings are 'resolved' (no evidence provided) Plan of action due by 09 June 2025 (status unknown) Potential COA disallowances pending
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Department of Information and Communications Technology is 698, which corresponds to a Weak rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 697.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 697.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 765.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 765.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 765.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 764.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 764.

According to Rankiteo, the A.I. Rankiteo Cyber Score for April 2025 was 764.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2025 was 764.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2025 was 764.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2025 was 764.

Over the past 12 months, the average per-incident point impact on Department of Information and Communications Technology’s A.I Rankiteo Cyber Score has been -70.0 points.

You can access Department of Information and Communications Technology’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/dictgovph.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Department of Information and Communications Technology’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/dictgovph.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.