ACTIVITY#3 (TBL Hub)

FINAL PERIOD
INFORMATION SECURITY 2018 (ITSEC2018)

LEADER: ISIDORO, FRENCH JONAS D.

MEMBERS: GENERALE, JAMES VERNIEL

TUBOSA, ALDRIN T.

LAGUINDAB, ABDUL MAHID WAREN O.

CUNANAN, JERICHO P.

SECTION: III – CINS

SUBMITTED TO:

PROF. ERWIN GUERRA

DATE: NOVEMBER 22, 2021

WAREN

1. NPC conducts privacy compliance check on BPI

The National Privacy Commission (NPC) is conducting a privacy compliance check
on the Bank of Philippine Islands (BPI) after the recent incident that caused the bank’s
electronic channels to be temporarily suspended, inconveniencing many of its clients. The
NPC has been in contact with the bank since 7 June 2017, the first day news about the
incident spread on social media. The high profile nature of the incident, and the potential
harm to thousands of data subjects prompted the Commission to immediately coordinate
with the bank and its data protection officer to work towards containing the breach and
lessening the impact of the incident. The BPI incident was reported to have been caused
by human error resulting in previously posted transactions to be reposted. The discovery
of the error prompted to the Bank to suspend access to thousands of accounts. The BPI
incident involved a breach in security affecting the availability and integrity of information
that relates to individuals, considered a personal data breach under NPC’s memorandum
circular on personal data breach management (NPC MC 16-03).

CHAPTER V - SECURITY OF PERSONAL INFORMATION

SECTION 20. Security of Personal Information

(c) The determination of the appropriate level of security under this section must
take into account the nature of the personal information to be protected, the risks
represented by the processing, the size of the organization and complexity of its
operations, current data privacy best practices and the cost of security implementation.
Subject to guidelines as the Commission may issue from time to time, the measures
implemented must include:

(1) Safeguards to protect its computer network against accidental, unlawful or

unauthorized usage or interference with or hindering of their functioning or availability;

(2) A security policy with respect to the processing of personal information;

(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and

(4) Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a security
breach.
CHAPTER VIII – PENALTIES
SECTION 29. Unauthorized Access or Intentional Breach.

The penalty of imprisonment ranging from one (1) year to three (3) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data systems, breaks in any way
into any system where personal and sensitive personal information is stored.

JAMES

2. Data breach hits Cebuana Lhuillier, around 900k clients affected

A pawnshop and remittance company reported a data breach involving one of its
servers being used for marketing operations compromising the data of about 900,000 of
their clients. According to Cebuana, among the data compromised was customer
information such as birth date, addresses, and sources of income. The company was
quick to reassure the public that transaction details were not compromised and that its
main servers remained unaffected. It also claimed that the number of affected individuals
only represented 3% of its total clientele. The company said that it had reported the
breach to the NPC.

CHAPTER IV – RIGHTS OF THE DATA SUBJECT

SECTION 16. Rights of the Data Subject.
Any information supplied or declaration made to the data subject on these matters
shall not be amended without prior notification of data subject: Provided, That the
notification under subsection shall not apply should the personal information be needed
pursuant to a subpoena or when the collection and processing are for obvious purposes,
including when it is necessary for the performance of or in relation to a contract or service
or when necessary or desirable in the context of an employer-employee relationship,
between the collector and the data subject, or when the information is being collected and
processed as a result of legal obligation.

(c) Reasonable access to, upon demand, the following:

(1) Contents of his or her personal information that were processed;

(2) Sources from which personal information were obtained;

(3) Names and addresses of recipients of the personal information;

(4) Manner by which such data were processed;

(5) Reasons for the disclosure of the personal information to recipients;

(6) Information on automated processes where the data will or likely to be made as the
sole basis for any decision significantly affecting or will affect the data subject;

(7) Date when his or her personal information concerning the data subject were last
accessed and modified; and

(8) The designation, or name or identity and address of the personal information
controller;

CHAPTER VIII – PENALTIES

SECTION 25. Unauthorized Processing of Personal Information and
Sensitive Personal Information.

(a) The unauthorized processing of personal information shall be penalized by

imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who process personal information
without the consent of the data subject, or without being authorized under this Act or any
existing law. without the consent of the data subject, or without being authorized under
this Act or any existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized

by imprisonment ranging from three (3) years to six (6) years and a fine of not less than
five hundred.

JERICHO

3. NPC starts probe into COMELEC’s 2nd large scale data breach;
issues compliance order
In a Facebook post before midnight Monday, March 28, a group calling itself
LulzSec Pilipinas wrote, "A great lol to Commission on Elections, here's your whoooooole
database." This appears to be the first major open leak of elections-related data by a
hacker group in the Philippines. The data exposes not only include publicly available
information, but also voter data, voter registration data, and databases relevant to the
functionality of the website. As of early afternoon Monday, the Facebook post had 3 mirror
links to an index of files that could be downloaded. According to the Readme text
accompanying the files, these files are "the whole database leak of Commission on
Elections." The group added that while "some of the tables are encrypted by Comelec," it
has "the algo(rithms) to decrypt" the data. The files include comweb.sql.qz, a 312GB
archived file.

CHAPTER I – GENERAL PROVISIONS

SECTION 3. Definition of Terms

(f) Information and Communications System refers to a system for generating,

sending, receiving, storing or otherwise processing electronic data messages or
electronic documents and includes the computer system or other similar device by or
which data is recorded, transmitted or stored and any procedure related to the
recording, transmission or storage of electronic data, electronic message, or electronic
document.

CHAPTER VIII – PENALTIES

SECTION 29. Unauthorized Access or Intentional Breach.
The penalty of imprisonment ranging from one (1) year to three (3) years and a fine of
not less than Five hundred thousand pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data systems, breaks in any way
into any system where personal and sensitive personal information is stored.

JONAS

4. Privacy Commission probes April hacking incidents

Local hackers, who call themselves Pinoy LulzSec, on Monday hacked into the
database of the Armed Forces of the Philippines and leaked information, including files
on military personnel. The group also managed to hack into government websites, as well
as websites of universities and private companies, including Ateneo de Zamboanga and
the Technological University of the Philippines in Taguig. (PNA)
CHAPTER III – PROCESSING OF PERSONAL INFORMATION
SECTION 13. Sensitive Personal Information and Privileged
Information.

F. The processing concerns such personal information as is necessary for the

protection of lawful rights and interests of natural or legal persons in court proceedings,
or the establishment, exercise or defense of legal claims, or when provided to government
or public authority.

CHAPTER VIII – PENALTIES

SECTION 29. Unauthorized Access or Intentional Breach.

The penalty of imprisonment ranging from one (1) year to three (3) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data systems, breaks in any way
into any system where personal and sensitive personal information is stored.

ALDRIN

5. Filipino credit app Cashalo suffers data breach

A data breach at a Filipino credit company has exposed customers’ sensitive personal
details. Cashalo, a fintech company offering cash loans and other financial services to
customers in the Philippines, confirmed that “illegal access” of a database has resulted in
the leak of some personally identifiable information. Exposed details include the names,
email addresses, phone numbers, device IDs, and passwords of customers. Cashalo
stressed that passwords were encrypted and said that no accounts were compromised
as a result of the data breach. The unauthorized access was discovered on February 18
during routine “proactive monitoring”, said Cashalo. A statement reads: “We immediately
took the system offline, commenced investigations, self-reported it to the Philippines’
National Privacy Commission, and took a number of steps to review and enhance our
security measures.” Customers affected by the incident will be notified directly either via
email or in-app message, Cashalo said.
CHAPTER IV- RIGHTS OF THE DATA SUBJECT
SECTION 16. Rights of the Data Subject

Any information supplied or declaration made to the data subject on these

matters shall not be amended without prior notification of data subject: Provided, That
the notification under subsection (b) shall not apply should the personal information be
needed pursuant to a subpoena or when the collection and processing are for obvious
purposes, including when it is necessary for the performance of or in relation to a
contract or service or when necessary or desirable in the context of an employer-
employee relationship, between the collector and the data subject, or when the
information is being collected and processed as a result of legal obligation;

(c) Reasonable access to, upon demand, the following:

(1) Contents of his or her personal information that were processed;

(2) Sources from which personal information were obtained;

(3) Names and addresses of recipients of the personal information;

CHAPTER VIII – PENALTIES

SECTION 28. Processing of Personal Information and Sensitive
Personal Information for Unauthorized Purposes.

The processing of personal information for unauthorized purposes shall be

penalized by imprisonment ranging from one (1) year and six (6) months to five (5)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than One million pesos (Php1,000,000.00) shall be imposed on persons
processing personal information for purposes not authorized by the data subject, or
otherwise authorized under this Act or under existing laws.

The processing of sensitive personal information for unauthorized purposes shall

be penalized by imprisonment ranging from two (2) years to seven (7) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be imposed on persons processing sensitive
personal information for purposes not authorized by the data subject, or otherwise
authorized under this Act or under existing laws.
REFERENCES:
https://www.privacy.gov.ph/2017/06/npc-conducts-privacy-compliance-check-bpi/

https://business.inquirer.net/263859/data-breach-hits-cebuana-lhuillier-around-
900k-clients-affected

https://www.privacy.gov.ph/2017/02/npc-starts-probe-comelecs-2nd-large-scale-
data-breach-issues-compliance-order/

https://www.pna.gov.ph/articles/1066539

https://portswigger.net/daily-swig/filipino-credit-app-cashalo-suffers-data-breach