OSG did not tell privacy watchdog about recent data breach
MANILA, Philippines—The Office of the Secretary General (OSG) did not notify the country’s data privacy watchdog about the data breach that was flagged to it twice last March, a violation that is punishable with jail time and a hefty fine under the Data Privacy Act.
TurgenSec, a London-based cybersecurity company, said in a statement that it had alerted the OSG and the Philippine government about the data breach on March 1 and 24.
Over 345,000 official documents were leaked online, including sensitive information on pending court cases and information on witnesses.
Under current rules, the National Privacy Commission (NPC) needs to be notified of a data breach within 72 hours. However, more than two months since the breach was brought to OSG’s attention, the NPC said on Tuesday (May 4) that it has not yet received any notification from the OSG.
TurgenSec said the OSG never replied to their e-mails, although the breach was closed on April 28, which the company assumed was done using information it had provided.
TurgenSec is behind the Breaches.uk project, which is responsible for the continued disclosure of significant UK data breaches. In an afterword following its statement, TurgenSec said the OSG data breach was discovered during research and development for one of its products.
Anyone with an internet connection and a web browser, it said, would have been able to access the data. TurgenSec said an unknown third party already has these data. It said the data are now likely in the hands of malicious actors “who could do considerable damage” if not stopped.
NPC protocols state that there should be no delay in the notification if the breach involves at least 100 data subjects, or if the disclosure of the sensitive information can harm the data subject. Otherwise, there will be penalties.
While the NPC had not yet issued an official statement on the issue as of posting time, its official website stressed that there are consequences for failing to notify the NPC. It remains to be seen, however, if the NPC would hold the OSG accountable.
“The failure to notify the NPC or the public may make you criminally liable for concealment of security breaches involving sensitive personal information,” NPC said on its website. The violation carries a penalty of up to 5 years imprisonment and a fine of up to P1 million.
“We encourage the Solicitor General of the Philippines to submit the breached data to digital forensics specialists to ascertain the extent of this data breach and whether any file’s integrity was compromised,” TurgenSec said.
“We also encourage them to publicly outline the extent of the information exposed and breached, and what steps are being taken to ensure this cannot happen again,” it added, noting that the OSG should also inform the UK’s Information Commissioner’s Office if the breach contained the data of any UK citizen.