The National Privacy Commission (NPC) on Monday, April 8, said an "on-site" investigation was conducted following the data breach of the Department of Science and Technology (DOST) server.
“Upon learning of this incident, the NPC promptly initiated actions through its Complaints and Investigation Division (NPC-CID),” NPC said in a statement.
“On April 4, 2024, an on-site investigation was conducted at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data,” it added.
According to the initial findings, the breach affected the personal data of at least 597 individuals, all of whom are employees of DOST.
Assessments indicate that the breach may have exposed personal information and sensitive personal information, including names, gender, civil status, and addresses of DOST employees.
“Additionally, the data dump uploaded by the threat actor included several resumes of individual applicants to DOST. The NPC-CID is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks,” NPC said.
The regulatory body received a breach notification from DOST on April 5.
Under NPC Circular 16-03, it is mandatory for DOST to notify the affected data subjects and the NPC within 72 hours upon knowledge or reasonable belief of a personal data breach.
Moreover, the NPC advised the public against accessing, downloading, or sharing the uploaded data dump without a legitimate purpose or proper authorization.
Engaging in such actions may constitute unauthorized processing of personal data, which is punishable by law.
“The NPC remains committed to keeping the public informed about the progress of this investigation as developments unfold,” NPC said.
On April 4, the Department of Information and Communications Technology (DICT) advised the public not to worry after a cyberattack compromised two terabytes (TB) of data from the DOST server.
The department underscored that “we have a working DICT, and as for the scientists whose data was compromised, I think they also have their products and creations in mind, and these are registered anyway.”
READ:
https://mb.com.ph/2024/4/4/dict-allays-public-fear-amid-latest-cyberattack-on-dost
Furthermore, the DICT confirmed the breach on the DOST website on April 3.
In response, the DOST vowed to treat the hacking incident with "utmost seriousness."
READ:
https://mb.com.ph/2024/4/3/dost-vows-to-address-hacking-incident