Press Statement of the NPC on Alleged DOST Data Breach

The National Privacy Commission (NPC) has launched an investigation in response to reported personal data breach within the Department of Science and Technology (DOST). Initial findings indicate that the breach includes the personal data of approximately 597 data subjects, all of whom are employees of DOST.

Upon learning of this incident, the NPC promptly initiated actions through its Complaints and Investigation Division (NPC-CID). On April 4, 2024, an on-site investigation was conducted at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data.

Preliminary assessments reveal that the breach potentially exposed personal information and sensitive personal information, such as names, gender, civil status, and addresses of DOST’s employees. Additionally, the data dump uploaded by the threat actor included several resumes of individual applicants to DOST. The NPC-CID is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks.

The NPC received a breach notification from DOST on April 5, 2024. Under NPC Circular 16-03, it is mandatory for the DOST to notify the affected data subjects and the NPC within 72 hours upon knowledge of or a reasonable belief that a personal data breach has occurred.

Furthermore, the NPC strongly urges the public against accessing, downloading, or sharing the uploaded data dump without legitimate purpose or proper authorization. Such actions may constitute unauthorized processing of personal data, which is punishable by law.

The NPC remains committed in keeping the public informed of the progress of this investigation as they unfold.

For inquiries and updates regarding this incident, please visit our official website www.privacy.gov.ph, or contact our Public Information and Assistance Division at [email protected].

###