THE NATIONAL Privacy Commission (NPC) said that its initial investigation into the data breach concerning the Department of Science and Technology (DoST) included the personal data of 597 employees.

“Preliminary assessments reveal that the breach potentially exposed personal information and sensitive personal information, such as names, gender, civil status, and addresses of DoST’s employees,” the NPC said in a statement on Monday.

The NPC also said that the data uploaded by the “threat actor” or hacker included resumés of individual applicants to the DoST.

Ronald C. Gustilo, national campaigner of Digital Pinoys, said that the DoST officials should also be held liable and charged for the data breach.

“It’s unacceptable that in just a span of a few months, they were involved in two data breaches. When they should have learned and adjusted from the first time that it happened last December 2023,” Mr. Gustilo said in a Viber message. 

Citing the leak of the DoST OneExpert system last year, Mr. Gustilo said that the agency has been unable to properly prepare for another cyberattack, which allowed this second breach.

“The NPC-Complaints and Investigation Division is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks,” the NPC said.

The agency conducted an on-site investigation at the DoST Central Office a day prior to when it received a breach notification from the DoST on April 5. “The NPC remains committed to keeping the public informed of the progress of this investigation as it unfolds,” the agency said.

Mr. Gustilo said the DoST should immediately notify the affected individuals and assist them in taking steps to ensure their safety.

“The leaked data may be used for a variety of purposes against the legitimate owners of the information. This must be prevented at all costs,” he added.

In a separate release, the NPC said it signed a memorandum of understanding with Dubai International Financial Center (DIFC) aimed at strengthening cooperation in data privacy last week in the United States.

Under the partnership, the two entities will engage in joint investigations for personal data breachers, provide training, and promote international certification systems and cross-judicial sandboxes.

“This partnership is an opportunity for both our data privacy authorities to foster a culture of privacy within our respective jurisdictions amidst the forefront of accelerated digitalization in both the public and private sectors,” NPC Commissioner John Henry D. Naga said.

Through the collaboration, Mr. Naga said both parties will be able to leverage each other’s expertise, experience, and best practices on a regional and global scale.

DIFC Commissioner of Data Protection Jacques John Visser said that the partnership between the two entities builds on the relationship the two parties had for years.

“We are very happy to continue collaborating, for example, with respect to enforcement cooperation or exploring options for data sharing with trust between our jurisdictions,” Mr. Visser said. — Justine Irish D. Tabile