The National Privacy Commission (NPC) has begun its investigation into the reported data breach of at least 2,000 individuals following an organized attack on the websites of government and commercial organizations last April 1.
In a statement on Tuesday, the NPC said data affected by the breach included the subjects’ sensitive personal information such as names, addresses, phone numbers, email addresses, and in some instances, even passwords and school details.
According to NPC, information such as these, could be used to perpetuate identity fraud; could land in the hands of unauthorized persons; and could cause serious harm to the affected data subjects.
Summoned on Monday by the NPC were top officials of the Taguig City University, the Department of Education (DepEd) offices in Bacoor City and Calamba City, the province of Bulacan, Philippine Carabao Center, Republic Central Colleges in Angeles City and the Laguna State Polytechnic University.
Those summoned were made to explain why within 72 hours of the breach, they did not notify the NPC and the affected data subjects, whose personal data were exposed for download via links posted on Facebook.
As of Monday, the NPC said none of the affected organizations were able to issue any data breach notifications, which is part of their obligations as Personal Information Controllers (PICs) under the Data Privacy Act of 2012.
“PICs are required to employ organizational, technical, and physical measures to protect personal data,” Privacy Commissioner Raymund Enriquez Liboro said.
“This includes the duty to inform data subjects and this Commission if there is a serious data breach,” he added. /muf