The National Privacy Commission (NPC) on Monday confirmed that some precious data of employees of the Department of Science and Technology (DOST) was compromised, barely a week after the Department of Information and Communications Technology (DICT) said that a cyberattack happened in the DOST system, affecting around 2 terabytes of data.
"The NPC has launched an investigation in response to a reported personal data breach within the DOST. Initial findings indicate that the breach includes the personal data of approximately 597 data subjects, all of whom are employees of DOST," the data privacy vanguard said in a statement, adding that they immediately acted through its Complaints and Investigation Division.
When the news broke, the DICT said the agency said they coordinated with the DOST to recover the lost data from the system, considered one of the biggest data hacks in terms of scope.
The NPC, on the other hand said that on 4 April 2024, an on-site investigation was conducted at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data.
"Preliminary assessments reveal that the breach potentially exposed personal information and sensitive personal information, such as names, gender, civil status, and addresses of DOST's employees. Additionally, the data dump uploaded by the threat actor included several resumes of individual applicants to DOST," the NPC statement further read.
Moreover, the NPC disclosed that the NPC-CID is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks.
The NPC said they received a breach notification from DOST on 5 April 2024.
"Under NPC Circular 16-03, the DOST must notify the affected data subjects and the NPC within 72 hours upon knowledge of or a reasonable belief that a personal data breach has occurred," the NPC said.
With this, the NPC advised the public against accessing, downloading, or sharing the uploaded data dump without legitimate purpose or proper authorization, as such actions may constitute unauthorized processing of personal data, which is punishable by law.
Besides the DOST, it was reported earlier that the Philippine Statistics Authority (PSA) was also breached, and a data leak transpired in the National ID system.
However, the PSA was quick to deny it, saying that the allegations were false and that they found no leak in the National ID database.
"Further investigation is being conducted in relation to the alleged data leak in the National ID system, and measures are in place to ensure its security and integrity," the PSA maintained.
