NPC investigates multiple government website breach

1. The National Privacy Commission (NPC) yesterday summoned the management and other responsible officials of seven schools, institutions, and local government units as it investigates data breaches they sustained following an organized attack on government and commercial organizations last April 1, 2018.

2. The privacy body earlier sent notice to top officials of Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to appear before it from April 23 to 24. This, to explain why they did not notify, within 72 hours of the breach, the NPC nor the affected data subjects, whose personal data were made available for download via links posted on Facebook.

3. As of yesterday, none of the affected organizations were able to issue any data breach notifications whatsoever, as part of their obligations as Personal Information Controllers (PICs) under the Data Privacy Act of 2012. “PICs are required to employ organizational, technical, and physical measures to protect personal data,” said Privacy Commissioner Raymund Enriquez Liboro. “This includes the duty to inform data subjects and this Commission if there is a serious data breach.”

4. The move comes after digital investigators from the National Privacy Commission determined that each of the exposed databases contained sensitive personal information or information that could be used to perpetuate identity fraud; that the exposed data is in the hands of unauthorized persons; and that the exposure of the data raises a real risk of serious harm to the affected data subjects.

5. In its initial estimate, the NPC said the combined number of exposed records in the breach were those of at least 2,000 individual data subjects. They include their name, address, phone number, email address, and in some instances, even passwords and school details.

# # #