Privacy Commission probes April Fool’s data breach in some schools, govt institutions
The National Privacy Commission (NPC) is conducting an investigation into the data breach on the personal information stored in various organizations that occurred last April 1, 2018.
Around 2,000 individual data subjects were affected by the breach, according to the NPC.
“Part of the investigation is to learn how these breaches happened and to spread that knowledge so that government and all personal information controllers and processors can do a better job of protecting Filipino personal data,” Francis Euston Acero, chief of the NPC’s Complaints and Investigation Division, said in a text message to the Philippine News Agency (PNA).
Sanctions that will be imposed would depend on the level of negligence of certain organizations on their duty to protect personal data.
“Where we find absolute negligence, the Comelec case is good guidance. We will not get ahead of the evidence,” Acero said.
The data exposed include their name, address, phone number, email address and in some instances, even passwords and school details.
The NPC summoned the management and other officials of seven schools, institutions and local government units Monday to explain why they did not notify the commission within 72 hours of the breach nor the affected data subjects whose personal data were downloaded through links posted on Facebook.
The privacy commission has earlier sent notices to top officials of Taguig City University; the Department of Education offices in Bacoor City in Cavite and Calamba City in Laguna; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to appear before it from April 23 to 24.
None of the affected organizations were able to issue any data breach notifications as part of their obligations as Personal Information Controllers (PICs) under the Data Privacy Act of 2012, according to Privacy Commissioner Raymund Liboro.
“PICs are required to employ organizational, technical and physical measures to protect personal data. This includes the duty to inform data subjects and this Commission if there is a serious data breach,” Liboro said in a statement Tuesday.
The probe started last week after digital investigators from the NPC determined that each of the exposed databases contained sensitive personal information or data that could be used to perpetuate fraud.
In January last year, the NPC recommended criminal prosecution against then Commission on Elections Chairman Andres Bautista for the massive breach of the personal information of registered voters that occurred between March 20 and 27 in the run-up to the 2016 national and local elections. (PNA)