AT LEAST 2,000 individual data subjects were affected by the “April Fool’s” organized attack on government websites by hackers calling themselves Pinoy Lulzsec, the National Privacy Commission said Tuesday.
“In its initial estimate … the combined number of exposed records in the breach was those of at least 2,000 individual data subjects,” NPC said in a statement.
Exposed in the breach were names, addresses, phone numbers, email addresses, and in some instances, even passwords and school details, according to the commission.
The NPC summoned the management and other responsible officials of seven schools, institutions, and local government units that fell prey to data breaches during organized attacks on government and commercial organizations on April 1, 2018.
“The privacy body earlier sent notice to top officials of Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to appear before it from April 23 to 24,” it said.
“This, to explain why they did not notify, within 72 hours of the breach, the NPC nor the affected data subjects, whose personal data were made available for download via links posted on Facebook,” the commission noted.
As of Monday, none of the affected organizations has been able to issue any data breach notifications as part of their obligations as Personal Information Controllers under the Data Privacy Act of 2012.
“PICs are required to employ organizational, technical, and physical measures to protect personal data,” Privacy Commissioner Raymund Enriquez Liboro said.
“This includes the duty to inform data subjects and this Commission if there is a serious data breach,” he said.
Digital investigators from the NPC determined that each of the databases exposed contained sensitive personal information or information that could be used to perpetuate identity fraud.