Personal Data Breaches in the Philippines

5-Minute Lessons by Victor

20 May 202108:08

Summary

TLDRThis video explores the concept of personal data breaches, covering the three main types: confidentiality, integrity, and availability breaches. It highlights the causes of data breaches, such as system vulnerabilities, weak passwords, and phishing attacks. The video also discusses notable data breaches in the Philippines, including the 2016 Comelec hack and the 2019 Cebuana Lulier breach. Furthermore, it explains the guidelines set by the National Privacy Commission for reporting breaches, emphasizing the legal consequences for non-compliance. The content serves as an informative resource on protecting personal data and understanding breach notification protocols.

Takeaways

😀 Personal data breaches involve accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data.
😀 Three main types of personal data breaches are: confidentiality, integrity, and availability breaches.
😀 A **confidentiality breach** happens when personal data is disclosed or accessed without authorization, e.g., a hacker accessing data in a system.
😀 An **integrity breach** occurs when personal data is altered in an unauthorized way, making it unreliable or corrupt.
😀 An **availability breach** happens when personal data is lost or destroyed, such as when a computer system fails without backups.
😀 Data breaches are often caused by system vulnerabilities, weak passwords, drive-by downloads, and email phishing attacks.
😀 Hackers often exploit weak passwords to gain access to personal information, which is why strong, unique passwords are important.
😀 In March 2016, the **Comelec data breach** exposed the personal data of 55 million voters, making it the worst recorded breach of a government health database.
😀 In January 2019, **Cebuana Lhuillier** experienced a breach affecting 900,000 clients, where email addresses, birth dates, and phone numbers were exposed.
😀 The **National Privacy Commission (NPC)** requires businesses to notify it within 72 hours if a breach affects at least 100 data subjects or involves sensitive personal information.
😀 Failure to notify the NPC or concealing a breach can result in penalties, including imprisonment and fines ranging from P500,000 to P1,000,000.

Q & A

What is a personal data breach?
-A personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to personal data.
What are the three main types of personal data breaches identified by Jam Jacob?
-The three main types of personal data breaches identified are: 1) Confidentiality breach (unauthorized disclosure or access to personal data), 2) Integrity breach (unauthorized alteration of personal data), and 3) Availability breach (accidental or intentional loss or destruction of personal data).
Can intentional disclosures be considered a confidentiality breach?
-Yes, even intentional disclosures qualify as a confidentiality breach if personal data is accessed or disclosed without authorization.
What is an example of an integrity breach?
-An example of an integrity breach is when a digital file containing personal data becomes corrupted, making the data unreliable despite still being accessible.
What is a common example of an availability breach?
-A common example of an availability breach is when a computer system stops working and there is no backup system in place, leading to the loss or destruction of personal data.
Why do data breaches occur, according to Alison Grace Johansen?
-Data breaches occur because cybercrime is seen as a profitable industry. Hackers target personally identifiable information to steal money, compromise identities, or sell the data on the dark web.
What are some common methods attackers use to exploit vulnerabilities and carry out data breaches?
-Attackers exploit system vulnerabilities by sneaking in malware, using weak passwords, engaging in drive-by downloads, and using email-based phishing techniques to trick users into revealing credentials or downloading malware.
What are the details of the 2016 Comelec data breach in the Philippines?
-The 2016 Comelec data breach affected 55 million voters in the Philippines. It led to the theft of 15.8 million fingerprint records, email addresses, passport numbers, and other personal data, which were later shared on the dark web. The breach was attributed to a hacktivist group, Anonymous Philippines.
What was exposed in the 2019 data breach involving Cebuana Lhuillier?
-The 2019 Cebuana Lhuillier data breach exposed personal information of approximately 900,000 clients, including names, birth dates, email addresses, mobile numbers, and in some cases, income information.
What are the guidelines for notifying the National Privacy Commission (NPC) about a data breach in the Philippines?
-According to NPC Circular 16-3, personal data breaches must be reported within 72 hours if the breach affects at least 100 data subjects or involves sensitive personal information that could harm individuals. A full report must be submitted within five days, including details about the breach and actions taken to address it.