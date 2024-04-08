The National Privacy Commission (NPC) said it has launched an investigation into the reported personal data breach within the Department of Science and Technology (DOST).

NPC said initial findings indicate that the breach includes the personal data of approximately 597 data subjects, all of whom are employees of DOST.

“Preliminary assessments reveal that the breach potentially exposed personal information and sensitive personal information, such as names, gender, civil status, and addresses of DOST’s employees,” the privacy body said in a statement on Monday.

In addition, NPC noted that the data dump uploaded by the threat actor included several resumés of individual applicants to DOST.

NPC said its Complaints and Investigation Division (NPC-CID) is currently engaged in a “thorough” analysis of the data dump to fully determine the extent of the breach and assess “associated” risks.

On April 4, the country’s privacy body said it conducted an onsite investigation at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data.

NPC said it received a breach notification from DOST on April 5.

Under NPC Circular 16-03, it is mandatory for the DOST to notify the affected data subjects and the NPC within 72 hours upon knowledge of or a reasonable belief that a personal data breach has occurred.

Further, NPC said it “strongly urges” the public against accessing, downloading, or sharing the uploaded data dump without legitimate purpose or proper authorization.

“Such actions may constitute unauthorized processing of personal data, which is punishable by law,” it said.

According to local news reports, the Department of Information and Communications Technology (DICT) said last week that a cyberattack on DOST has affected around 2 terabytes of data.