Two data privacy advocacy groups have urged the Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) to warn the public about the potential impact of the PhilHealth data breach through a Medusa malware attack discovered on Sept. 22.
Sam Jacoba, president of the National Association of Data Protection Officers of the Philippines (NADPOP), said: “Compared to the Commission on Elections (Comelec) data breach in 2016, the potential impact of this incident is even bigger as all working Filipinos are mandatorily enrolled, and need to pay monthly contributions.”
“We urgently request the DICT and NPC that even if only a fraction of the extent of the breach has been revealed by the threat actors, they can already guide consumers, and institutions that use PhilHealth information on what to do in case their personal information was compromised by the breach,” Jacoba said.
Lito Averia, president of the Philippine Computer Emergency Response Team (PH-CERT), a volunteer organization that assists individuals and institutions on information security issues, agreed that the regulators should already anticipate the worst-case scenario as it is better to warn Filipino consumers as soon as possible as the threat actors can already exploit the illegally accessed personal information.
“PhilHealth, with the help of the DICT, is releasing information on the breach bit by bit. This is actually understandable as the discovery process for external security incidents is complicated, but they can already assume that a significant number of member data was compromised based on their recent statement,” Averia said.
“Thus, better prepare PhilHealth members for the worst-case scenario so they will not be caught off-guard and suffer potential financial loss or be a victim of identity theft.”
NADPOP and PH-CERT also offered to provide a third-party perspective and assist PhilHealth in its current breach investigation with the DICT and NPC.
“If PhilHealth needs unbiased third-party support, we have volunteers who are ready to assist in digital forensics and in the data breach management needs of the agency,” Jacoba and Averia jointly offered.
“We are extending our support to PhilHealth and its impacted employees and members during this time as we know the value of all of us helping each other during these times. It takes a community to protect personal information.”
NADPOP and PH-CERT just concluded CyberSecConPH last Sept.19 attended by more than 100 cybersecurity professionals, which kickstarted the formation of a Cybersecurity Community of Practice in the Philippines that will connect with the Asean-Japan Cybersecurity Community this week in Tokyo.
On Oct. 25 to 27, in support of Cybersecurity Month, the two groups will host an online conference on Governance, Risk and Compliance (GRC) that will elevate the knowledge and skills of Data Protection Officers (DPOs) and Cybersecurity Professionals in fighting against internal and external threat actors.
The conference is by invitation only and exclusive to active NADPOP and PH-CERT community volunteers, members and partners.