Senator Win Gatchalian urged government agencies to immediately report to the National Privacy Commission (NPC) any unauthorized access to databases containing personal information that they have in custody.
Gatchalian made the call after learning of the hacking of the Unified Student Financial Assistance System for Tertiary Education (UNIFAST) database in March that exposed the personal data of more than 1 million Tertiary Education Subsidy (TES) applicants.
The TES database which contains the private data of 1,130,899 applicants – including their student identification numbers, full names, birth dates, names of fathers and mothers, and home addresses – was hacked by a still unknown hacker in March 16.
The legislator said that according to an official document that his office received, the hacker accessed and deleted the TES database and left a ransomware, a type of malicious software that threatens to publish the victim’s data unless a ransom is paid.
“The breach happened mid-March but the Secretariat was only able to report the breach to the NPC mid-April. Sana nireport nila ng mas maaga dahil responsibilidad nilang gawin ‘yon.” The lawmaker said.
“The breach happened mid-March but the Secretariat was only able to report the breach to the NPC mid-April.”
Sec. 20 (f) of Republic Act No. 10173 or the Data Privacy Act of 2012 states that “The personal information controller shall promptly notify the [NPC] and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.”
Gatchalian also urged the UNIFAST Secretariat to be more vigilant in securing and storing personal data of students as he noted the series of hacking attacks on government websites in the previous weeks.
“The UNIFAST breach itself is alarming enough. But when you take into consideration the April 1 hack that leaked the Scout Ranger database of the Philippine Army, unscrupulous persons could cross reference both databases to determine where our soldiers live,” he said.
“The UNIFAST breach itself is alarming enough.”
“Kailangan natin ma-realize na this goes beyond the security of our students. Maaaring nakasalalay din dito ang seguridad ng ating mga sundalo,” Gatchalian added.
Gatchalian is a reserve lieutenant colonel in the Philippine Army.
Gatchalian previously urged the Department of Information and Communications Technology (DICT) to investigate the April 1 attack made by the hacker group Pinoy LulzSec on a large number of government websites.
“The government must also take steps to secure critical information structures and government networks. It bears pointing out that even the official Senate website does not currently use a secure connection,” he said.
