The National Privacy Commission (NPC) acknowledged on Thursday, June 6, that it received breach notifications from Robinsons Land, Toyota Motor Philippines, and the Philippine National Police (PNP).
The confirmation comes on the heels of another reported major hacking incident at grocery chain S&R as reported by cybersecurity monitoring site Deep Web Konek. However, the NPC said it has not received breach notification yet regarding the incident.
A data breach at S&R has exposed the personal information of about 11,000 members, including names, email addresses, phone numbers, home addresses, and various personal identifiers. The breach, claimed by a user named L00tz. pic.twitter.com/aaS1Rcd2Tr
— Deep Web Konek (@deepwebkonek) June 4, 2024
Last May 30, Deep Web Konek also reported that a total of 31 public and private organizations were hacked by an entity known as DeathNote Hackers.
NEW: A major data breach was detected affecting 31 government and private entities, including local municipalities, national agencies, and organizations. The breach, executed by the DeathNote Hackers approximately 93GB of sensitive data.
— Deep Web Konek (@deepwebkonek) May 30, 2024
Full Story: https://t.co/gbBOY9dvKs pic.twitter.com/94LH2bZJLk
In the case of Robinsons Land, the NPC said it was notified about the breach on June 1, 2024. Toyota Motor Philippines, on the other hand, reported the breach on May 14, 2024.
The PNP, meanwhile, also reported six data breach notifications in May 2024.
“Companies and individuals processing personal data must notify affected data subjects individually and report to the Commission via the Data Breach Notification Management System (DBNMS) within 72 hours of discovering a breach,” the NPC.
At the same time, the privacy body has warned local businesses, which process personal data of their clients and/or employees but remain unregistered with the NPC.
“Show-cause orders shall be issued for non-compliance with the Data Privacy Act of 2012 (DPA) and relevant NPC issuances. NPC Circular No. 2022-04 mandates the registration of data processing systems (DPS) and data protection officers (DPOs) for all businesses that process personal data of two hundred fifty (250) or more employees, or one thousand (1,000) or more customers, or those processing data that will likely pose a risk to the rights and freedoms of data subjects,” it said.
The NPC said businesses that do not reach specified thresholds must still submit a declaration and undertaking for exemption.
“The Commission reminds personal information controllers (PICs) and personal information processors (PIPs) of their obligations under the DPA, its IRR, and the issuances of the NPC, including compliance with the registration requirements.
“Further, the Commission, through its Data Security and Compliance Office (DASCO) will also continue to issue mission orders on the conduct of compliance checks to businesses throughout the country to ensure compliance of PICs and PIPs covered by the mandatory registration requirements.
The NPC conducted an on-the-spot privacy sweep at a mall establishment last May 15, and found 65 mall tenants unregistered with the agency.
“The NPC will relentlessly enforce the law by issuing show cause orders to unregistered businesses throughout this year, and those who fail to register despite the notice may be subjected to administrative fines, as provided under NPC Circular 2022-01 or the Guidelines on Administrative Fines,” it said.