TOTAL NUMBER OF SECURITY INCIDENTS REPORTED (2018-2023)
as of August 31, 2024:
6,847,611,386

About DBNMS

On 22 April 2022, the National Privacy Commission, through its Compliance and Monitoring Division, launched the Data Breach Management System (DBNMS) for the easier and more convenient submission of personal data breach notifications and Annual Security Incident Reports by Personal Information Controllers and Processors. The System allows more effective issuance of Orders as well as real-time update and reflection of the status of the submissions. It also allows a more efficient manner of compliance by Data Subjects which eliminates the submission of inaccurate data breach notifications through its self-evaluation tool. The data gathered from the DBNMS are used by the Commission in its policy and standards development, awareness campaign, and other privacy-related advocacies of the Commission.

741

Total Personal Breach Notifications
from Year 2022 to August 2024

SECURITY INCIDENT / DATA BREACH / PERSONAL DATA BREACH

TOP 3 GENERAL CAUSES OF DATA BREACHES (January - August 2024)

Malicious Attacks

  • Hacking-Cloud (4)
  • Hacking-Database (16)
  • Hacking-Email Account (3)
  • Hacking-Infrastructure (0)
  • Hacking-Server (11)
  • Hacking-Website (11)
  • Hacking-Others (9)
  • Theft (4)
  • Social Engineering (0)
  • Malware-Ransomware (21)
  • Malware-Trojan Horse (6)
  • Hacking-SQL Injection (3)
  • Phishing (2)
  • Smishing (0)
  • Hacking-Phishing (2)
  • Malware-Virus (1)
  • Hacking-Man-In-The-Middle (2)
  • Others (20)

115

Reports

86

Reports

Human Error

  • Undertrained Staff (2)
  • Loss of Equipment (7)
  • Loss of Documents (20)
  • Misdelivered Documents (2)
  • Negligence (12)
  • Accidental Email (19)
  • Misuse of Resources (3)
  • Others (21)

Malicious Attacks / Human Error

  • Misuse of Resources (0)
  • Phishing (2)
  • Smishing (0)
  • Social Engineering (1)
  • Undertrained Staff (1)
  • Insider Threat (3)
  • Negligence (4)
  • Stolen Device (3)
  • Hacking-Database (10)
  • Unauthorized Disclosure (7)
  • Others (4)

35

Reports

Top 5 Sectors reporting Data Breach Notifications January - August 2024

GOVERNMENT (55)

OTHERS (25)

EDUCATION (21)

FINANCIAL SERVICE ACTIVITIES (21)

MANPOWER AGENCIES (17)

Top 5 Sectors Reporting Security Incidents in 2023

GOVERNMENT (53)

FINANCIAL SERVICE ACTIVITIES (49)

RETAIL/TRADE (28)

EDUCATION (20)

HEALTHCARE FACILITIES (20)

FEATURED SECURITY MEASURE

MULTI-FACTOR AUTHENTICATION

With the rapid evolution of technology, threats to personal data are also rising at an alarming rate. It is becoming quite common as headlines that private and government entities suffered a data breach. As personal data breaches and security incidents comes with digitalization, fortification of our cyber defenses and ensuring that our personal data and sensitive personal data is protected should be the top priority. One of the most important factors to consider is to protect user credentials through secure and appropriate user authentication methods.

Authentication is the process of verifying someone’s identity using different techniques. There are three authentication factors:

  1. Something you know – This can be in a form of passwords or pin codes. When logging in, users will either input their password or pin code to login to a service provider.

  2. Something you are – This authentication method uses inherent factors of the user such as biometric information. Example can be the use of fingerprints, retinal scans or even facial recognition to login to a service provider.

  3. Something you have – Users will be able to login to a service provider by using something that they have as a means of authentication. Examples include the use of smartphones or hardware security tokens that can be inserted into the user’s device such as a USB port.

Using only one of these methods to authenticate is called Single Factor Authentication. For example, when a person can access his/her Facebook account using only his/her password, then his/her identity is verified using only Single Factor Authentication. However, if a person uses a combination of the three authentication factors, he or she is using Multifactor Authentication (MFA).

What is MFA?

Multifactor Authentication requires the user to use the three authentication factors. For example, to login, the employee will need to input his/her password (something you know). After the password is verified, the user will then have to scan his/her fingerprint (something you are). Finally, once the user’s password and biometric information was verified by the system, the employee will have to input his/her hardware authentication device in the USB port (something you have). Only then will the employee be able to login and use the resources of the company that he/she has authorization to use.

Of the three methods, Single Factor Authentication, Two Factor Authentication, Multifactor Authentication, the latter is considered the most secure and should be implemented by organizations especially those that process high volumes of personal data.

HOW CAN THE DBNMS HELP YOU?

Faster and more accurate development of data-driven policies for Personal Information Controllers and Processors, and data subjects

PERSONAL INFORMATION CONTROLLERS AND PROCESSORS

  • Faster, easier, and more efficient submission of data breach notifications and Annual Security Incident Reports
  • More accurate submission of data breach notifications through its self-evaluation tool

DATA SUBJECTS

  • Awareness of data subjects on the common causes of data breaches and the sectors and how to protect themselves against these incidents

TESTIMONIALS

VIDEO TESTIMONIALS

BUILT USING THE PRIVACY BY DESIGN APPROACH

  • Proactive not Reactive; Preventative not Remedial - In its initial stages, the DBNMS was built with the idea of preventing or mitigating privacy and security risks.

 

  • Privacy as the Default Setting – The DBNMS has its privacy preserving options turned on by default. Users need not worry about the need to configure the DBNMS to enable privacy preserving features because user privacy is implemented upon signup and during the use of the System.

 

  • Privacy Embedded into Design – While designing the DBNMS, the NPC’s Compliance and Monitoring Division conducted Privacy Impact Assessments (“PIA”) to determine the data flows and data inventory of the system to ensure that the DBNMS shall respect the following principles of the Data Privacy Act of 2012 - Proportionality, Integrity, and Legitimate Purpose. It also integrated features to ensure the security of the personal data that will be processed by the System.

 

  • Full Functionality — Positive-Sum, not Zero-Sum – During its development, the NPC ensured to harmonize and preserve both the privacy measures and proposed functionalities of the DBNMS. During its implementation, the need for additional features was also determined to be added. Since the PIA was conducted during the design phase, adding features without compromising the privacy measures can be made without issues.

 

  • End-to-End Security — Lifecycle Protection – One of the requirements that was emphasized during the planning stage is that every major stage of the development should undergo a security assessment. This is to ensure that all possible vulnerabilities will be addressed even before the completion of the DBNMS. In addition, several PIAs were conducted during its development to ensure that none of the privacy measures were neglected or removed from the system. Finally, prior to its deployment, a Vulnerability Assessment and Penetration Test (“VAPT”) was conducted by a recognized VAPT provider.

 

  • Visibility and Transparency – Keep it Open – Following best practices, a Just-in-Time (“JIT”) Privacy Notice pops up during sign up. This Privacy Notice is designed to be easily read and understood. Users are also given the option to read the full Notice by clicking on the link in the JIT version or at the bottom every page of the DBNMS to ensure that they are informed about how their personal data is processed and protected, as well as how to contact the Commission’s Data Protection Officer (“DPO”) in case of any concern.

 

 

  • Respect for User Privacy – Keep it User-Centric-Users of the DBNMS are empowered to exercise their privacy rights in the System. Aside from the security and privacy safeguards in place and the integration of privacy into the design of the system, users can also modify, edit, and delete their personal data. In addition, the contact details of the DPO are provided for any privacy-related concern while the email address of the DBNMS administrator is provided for other DBNMS concerns.

DBNMS LAUNCH

HOW TO USE DBNMS

All Breach Notifications and Annual Security Incident Reports (Annual Security Incident Report (“ASIR”) shall be submitted through the Data Breach Notification Management System (“DBNMS”) online platform (https//dbnms.privacy.gov.ph) . To guide you in navigating the DBNMS, please watch the videos through the links below:
1. How to create DBNMS account
2. How to submit a Personal Data Breach Notification report
3. How to comply with the required documents and information
4. How to submit an Annual Security Incident Report