Senator Win Gatchalian urged government agencies to immediately report to the National Privacy Commission (NPC) any unauthorized access to the databases containing personal information that they have in custody.
Gatchalian made the call after learning of the Unified Student Financial Assistance System for Tertiary Education (UNIFAST) data breach in March that exposed the personal data of more than one million Tertiary Education Subsidy (TES) applicants.
The TES database containing the private data of 1,130,899 applicants – including their student identification number, full name, birth date, father’s and mother’s names, and address – was accessed by unknown intruders on March 16.
The lawmaker said that according to an official document that his office received, the hacker accessed and deleted the TES database and left a ransomware, a type of malicious software that threatens to publish the victim’s data unless a ransom is paid.
“The breach happened mid-March but the Secretariat was only able to report the breach to the NPC mid-April. Sana nireport nila ng mas maaga dahil responsibilidad nilang gawin ‘yon.” Gatchalian said.
Sec. 20 (f) of Republic Act No. 10173 or the Data Privacy Act of 2012 states that “The personal information controller shall promptly notify the [NPC] and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.”
He urged the UNIFAST Secretariat to be more vigilant in securing and storing personal data of students as he noted the string of hacks on government websites in the previous weeks.
“The UNIFAST breach itself is alarming enough. But when you take into consideration the April 1 hack that leaked the Scout Ranger database of the Philippine Army, unscrupulous persons could cross reference both databases to determine where our soldiers live,” Gatchalian said.
“Kailangan natin ma-realize na this goes beyond the security of our students. Maaaring nakasalalay din dito ang seguridad ng ating mga sundalo,” he added.
Gatchalian is a reserve officer of the Philippine Army with the rank of lieutenant colonel.
He previously urged the Department of Information and Communications Technology (DICT) to investigate the April 1 attack made by hacking group Pinoy LulzSec on a large number of government websites.
“The government must also take steps to secure critical information structures and government networks. It bears pointing out that even the official Senate website does not currently use a secure connection,” he said.