NPC says it is probing breach of multiple gov’t websites

The National Privacy Commission (NPC) said on Tuesday, April 24, that it has summoned the management and responsible officials of seven schools, institutions, and local government units as it investigates data breaches they sustained following an organized attack on government and commercial organizations last April 1.

Photo shows NPC officials, led by Atty. Francis Euston Acero, chief of the agency’s complaints and investigation division (second from left), initiating the probe on the data breach

The privacy body earlier sent notice to top officials of Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to appear before it from April 23 to 24.

The officials were required to explain why they did not notify, within 72 hours of the breach, the NPC nor the affected data subjects, whose personal data were made available for download via links posted on Facebook.

As of Monday, none of the affected organizations were able to issue any data breach notifications whatsoever, as part of their obligations as Personal Information Controllers (PICs) under the Data Privacy Act of 2012.

“PICs are required to employ organizational, technical, and physical measures to protect personal data,” said Privacy Commissioner Raymund Liboro. “This includes the duty to inform data subjects and this Commission if there is a serious data breach.”

The move comes after digital investigators from the NPC determined that each of the exposed databases contained sensitive personal information or information that could be used to perpetuate identity fraud; that the exposed data is in the hands of unauthorized persons; and that the exposure of the data raises a real risk of serious harm to the affected data subjects.

In its initial estimate, the NPC said the combined number of exposed records in the breach were those of at least 2,000 individual data subjects. They include their name, address, phone number, email address, and in some instances, even passwords and school details.

Comment on this post