By Mario Casayuran
The database of the Unified Student Financial Assistance System for Tertiary Education (UNIFAST) has been breached by hackers.
Senator Sherwin Gatchalian, chairman of the Senate economic affairs committee, revealed this yesterday as he urged government agencies to immediately report to the National Privacy Commission (NPC) any unauthorized access to the databases containing personal information that they have in custody.
The data breach committed last March exposed the personal data of more than one million Tertiary Education Subsidy (TES) applicants, Gatchalian said.
He said the TES database containing the private data of 1,130,899 applicants – including their student identification number, full name, birth date, father’s and mother’s names, and address – was accessed by unknown intruders on March 16.
Gatchalian said that according to an official document that his office received, the hacker accessed and deleted the TES database and left a ‘’Ransomware,’’ a type of malicious software that threatens to publish the victim’s data unless a ransom is paid.
“The breach happened mid-March but the Secretariat was only able to report the breach to the NPC mid-April. Sana nireport nila ng mas maaga dahil responsibilidad nilang gawin ‘yon,” he said.
Section 20 (f) of Republic Act No. 10173 or the Data Privacy Act of 2012 states: “The personal information controller shall promptly notify the [NPC] and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.”
Gatchalian urged the UNIFAST Secretariat to be more vigilant in securing and storing personal data of students as he noted the string of hacks on government websites in the previous weeks.
“The UNIFAST breach itself is alarming enough. But when you take into consideration the April 1 hack that leaked the Scout Ranger database of the Philippine Army (PA), unscrupulous persons could cross reference both databases to determine where our soldiers live,” Gatchalian said.
“Kailangan natin ma-realize na this goes beyond the security of our students. Maaaring nakasalalay din dito ang seguridad ng ating mga sundalo,” he added. (We should realize that this goes beyond the security of our students. This might also place the security of our soldiers.)
Gatchalian is a PA reserve officer with the rank of lieutenant colonel.
He previously urged the Department of Information and Communications Technology (DICT) to investigate the April 1 attack made by hacking group Pinoy LulzSec on a large number of government websites.
“The government must also take steps to secure critical information structures and government networks. It bears pointing out that even the official Senate website does not currently use a secure connection,” he added.