Manila, Philippines – The Agricultural Credit Policy Council (ACPC) is the latest government agency to be targeted and have been hacked, compromising sensitive information. The threat actor, identified as “ph1ns,” claims to have accessed the ACPC’s server and databases, downloading around 20GB of data.
Ph1ns, known for breaching other government agencies like DOST, PCO-EMB, PNP-FEO and several private companies such as Acer Philippines. Ph1ns utilized an exposed Git token to gain access. The breach was exposed based on the team’s initial investigation approximately 160,000 records of sensitive personally identifiable information (PII), including ID cards and driving licenses.
We asked ph1ns to provide a detailed explanation of the breach. The threat actor exploited an exposed Git token that granted full access to the ACPC’s repository. This token was used to clone the repository, revealing critical database credentials. With these credentials, Ph1ns accessed a script named phprunner.php, which allowed the execution of custom queries. This led to the extraction of unencrypted usernames and passwords, resulting in complete control over user accounts.
The data downloaded by Ph1ns includes sensitive personal information of approximately 160,000 individuals. Among the compromised data are various ID cards and driving licenses, potentially affecting a large number of people connected to the ACPC’s services.
During the attack, Ph1ns also manipulated the ACPC’s loan request system. The threat actor attempted to approve as many loan requests as possible within the brief period of access, further complicating the impact of the breach.
Ph1ns also provided screenshots from the ACPC’s system to demonstrate the extent of their access. One screenshot shows a list of loan applications, detailing applicants’ regions, remarks on their submissions, names, programs, and email addresses. The list highlights issues such as incomplete business plans and required re-uploads, showcasing a total of 1,051 entries. Another screenshot from the ACPC’s administrative dashboard presents various statistics, including program briefing completions, program sign-ups, business planning preparations, documentary requirements, and evaluations by PLC. The dashboard also includes a graph of registered users from January 2022 to June 2024, along with gender distribution and the total number of verified applicants.
The ACPC has yet to release an official statement regarding the breach. Authorities are expected to launch an investigation to understand the full extent of the breach, its impact, and to prevent future incidents.
The actions of ph1ns and the subsequent exposure of extensive personal data underscore the urgent need for enhanced security protocols to safeguard sensitive information and maintain public trust.