Department of Information and Communications Technology Breach Incident Score: Analysis & Impact (DIC2762527111925)

In this Rankiteo incident briefing, we review the Department of Information and Communications Technology breach identified under incident ID DIC2762527111925.

The analysis begins with a detailed overview of Department of Information and Communications Technology's information like the linkedin page: https://www.linkedin.com/company/dictgovph, the number of followers: 498184, the industry type: Government Administration and the number of employees: 634 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 773 and after the incident was 702 with a difference of -71 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Department of Information and Communications Technology and their customers.

On 05 June 2025, Department of Information and Communications Technology (DICT) disclosed Data Privacy Violation, Regulatory Non-Compliance and Governance Failure issues under the banner "DICT Internal Audit Reveals 'Significant Non-Compliance' in eGov eLGU Platform Rollout Without Contracts".

A 2025 internal audit by the Department of Information and Communications Technology (DICT) in the Philippines uncovered that the eGov 'super app' and its eLGU (electronic Local Government Unit) platform were deployed nationwide without signed contracts (MOAs/MOUs) with LGUs.

The disruption is felt across the environment, affecting eGov PH Super App, eLGU Platform (924+ LGUs onboarded as of Oct 2025) and Single Sign-On (SSO) System, and exposing Government IDs (e.g., driver’s license, passport), Live photos and Full names.

In response, teams activated the incident response plan, and began remediation that includes DICT claims audit issue 'resolved' with Internal Audit Service (no details provided) and Plan of action demanded by audit (due 09 June 2025), and stakeholders are being briefed through DICT Undersecretary David Almirol Jr. defended rollout in media interviews and No public advisory issued to users about risks.

The case underscores how Ongoing (NPC would investigate post-breach; DICT audit unresolved), teams are taking away lessons such as Lack of contracts creates 'unclear liability' and accountability gaps, Excessive data collection without proportionality undermines trust and Ease of Doing Business mandates should not override data protection, and recommending next steps like Execute uniform MOAs/MOUs with all LGUs to define roles/responsibilities, Implement Data Sharing Agreements (DSAs) or Data Processing Outsourcing Agreements (DPOAs) and Conduct proportionality assessments for data collection.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), with evidence including 19 government sites hacked in September 2025 protests, and weak Cybersecurity Safeguards in Government Systems and Valid Accounts (T1078) with moderate to high confidence (85%), with evidence including single Sign-On (SSO) System exposed without clear safeguards, and 924+ LGUs onboarded with no agreements for access controls. Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with moderate to high confidence (75%), with evidence including unclear accountability for data breaches in SSO/system access, and no clear recourse for citizens implies unmonitored account activity. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), with evidence including eGovDX Data Exchange APIs lack explicit safeguards, and centralization of Government Services suggests broad API access. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), with evidence including no clear breach notification protocols, and lack of cybersecurity governance in EGovDX API integrations and Obfuscated Files or Information (T1027) with moderate confidence (65%), with evidence including lack of transparency in data handling policies, and no public advisory issued to users about risks. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (70%), with evidence including excessive personal data upfront (e.g., government IDs, live photos) stored without safeguards, and high identity theft risk due to excessive PII collection and Credentials from Password Stores (T1555) with moderate confidence (60%), with evidence including single Sign-On (SSO) System mentioned with unclear accountability, and weak cybersecurity safeguards in platforms handling 14M users. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (70%), with evidence including eGovDX Data Exchange APIs lack monitoring; implies unchecked data access, and no Data Sharing Agreements (DSAs) suggests unlogged data flows. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), with evidence including collects excessive personal data upfront (IDs, biometrics, signatures), and overcollection of Personal Data listed as a vulnerability and Data from Information Repositories (T1213) with moderate to high confidence (85%), with evidence including eGov PH Super App and eLGU Platform store data from 14M Filipinos, and passport details (for eTravel) and government IDs centralized. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol (T1048) with moderate to high confidence (70%), with evidence including eGovDX APIs lack explicit safeguards for data exchanges, and no clear recourse for citizens implies potential undetected exfiltration and Automated Exfiltration (T1020) with moderate confidence (65%), with evidence including 19 government sites hacked historically; suggests automated targeting, and routine hacking incidents with unclear liability. Under the Impact tactic, the analysis identified Data Destruction (T1485) with moderate confidence (50%), with evidence including potential COA disallowances for irregular spending, and risk of irregular budget usage could imply data tampering, Resource Hijacking (T1496) with moderate confidence (60%), with evidence including centralization of Government Services creates single point of failure, and 14M users data at risk due to weak cybersecurity safeguards, and Data Encrypted for Impact (T1486) with lower confidence (40%), with evidence including no remediation measures listed; implies potential ransomware risk, and high sensitivity of data (biometrics, IDs) as leverage. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.