The National Privacy Commission (NPC) on Monday, April 8, said it has launched an investigation in response to reported personal data breach within the Department of Science and Technology (DOST).
Initial findings indicate that the breach includes the personal data of approximately 597 data subjects, all of whom are employees of DOST.
Upon learning of the incident, the NPC said it promptly initiated actions through its Complaints and Investigation Division (NPC-CID).
On April 4, 2024, an on-site investigation was conducted at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data.
Preliminary assessments revealed that the breach potentially exposed personal information and sensitive personal information such as names, gender, civil status, and addresses of DOST’s employees.
Additionally, the data dump uploaded by the threat actor included several resumes of individual applicants to DOST, the agency said.
“The NPC-CID is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks,” it added.
The NPC received a breach notification from DOST on April 5, 2024. Under NPC Circular 16-
03, it is mandatory for the DOST to notify the affected data subjects and the NPC within 72 hours upon knowledge of or a reasonable belief that a personal data breach has occurred.
“Furthermore, the NPC strongly urges the public against accessing, downloading, or sharing the uploaded data dump without legitimate purpose or proper authorization. Such actions may constitute unauthorized processing of personal data, which is punishable by law,” the data privacy body said.
