About Us
DPWH ‘Hack’ may have been misinterpreted says cybersecurity researcher
DECODED: TECH, TRUTH, AND THREATS
By Art Samaniego
The alleged hacking of the Department of Public Works and Highways (DPWH) that made rounds on social media last week may not have been a malicious breach after all, but rather a case of accidental exposure.
In a message sent to me, JR Dioca, the author of the blog post that first detailed the incident clarified what could have really happened. The blog, published on jrdioca.com, analyzed the so-called “Git dump” that contained internal data attributed to DPWH’s software development repositories.
The author explained that while the leak of data from a Git repository is serious, it does not automatically mean the agency was actively “hacked” by outsiders. Instead, the evidence suggested that sensitive files and credentials may have been unintentionally exposed through poor repository hygiene or a misconfigured server.
“From the indicators, it looks more like accidental exposure than a full-blown compromise,” the researcher noted. “Developers sometimes forget to secure repositories, and once indexed or scraped, these files become accessible.”
Why it matters?
Even if no hacker directly infiltrated DPWH systems, the exposure is still dangerous. Credentials, code snippets, or configuration files leaked online can later be weaponized by malicious actors. “Calling it a hack may not be accurate, but that doesn’t mean there’s no risk,” the author stressed.
As a cybersecurity analyst, I agree that both public and private institutions in the Philippines need stronger protocols to prevent similar incidents. Misconfigured repositories, unsecured databases, and poor credential management are among the top causes of government data leaks worldwide.
Waiting for DPWH response
Until now, the DPWH has not issued an official statement regarding the alleged incident. It remains unclear whether the agency has investigated the exposed files, rotated its credentials, or coordinated with the Department of Information and Communications Technology (DICT) and the Cybercrime Investigation and Coordinating Center (CICC).
The incident highlights once again the government’s vulnerability to digital risks. Just months earlier, several government websites, as well as major universities, were found to be hosting injected gambling spam in search results, another reminder of weak security practices.
The bigger picture
Whether due to misconfiguration or malicious intrusion, the DPWH case shows the urgent need for stricter cybersecurity compliance in government offices. Regular security audits, repository monitoring, and training for developers could prevent such exposures in the future.
“The bottom line is that data was exposed,” JR Dioca concluded. “Whether by mistake or by attack, agencies need to act quickly to protect systems and the public.”
Read the researcher’s Digital Forensics and Incident Response at: https://blog.jrdioca.com/dfir/2025/08/28/DPWHGitdump/