In the last week, two universities experienced a hacking incident of their respective student portal systems. San Beda University’s Student portal was hacked, while University of the Philippines Cebu confirmed a breach of their Student Evaluation on Teaching, which is a separate system from their student portal.
San Beda University
June 5- San Beda University (SBU) discovered its Bedista Student Portal was hacked by a still unidentified person. Before the breach was confirmed, a message was posted on the Bedista Student Portal, “Greetings San Beda University! Do we have your attention now? We’re expecting from you. Don’t try to provoke us, this message may serve as a warning.”
By accessing the portal personal data of the students, faculty member and guardians were compromised, which includes:
|Full Name||Personal Information|
|Contact numbers||Personal Infomation|
|Email addresses||Personal Information|
|Passwords||Sensitive Personal Information|
|Sensitive Personal Information|
|Student identification number||Sensitive Personal Information|
|Student course||Sensitive Personal Information|
|Previous schools attended||Sensitive Personal Information|
|Statement of accounts||Sensitive Personal Information|
Allegedly, it is the third-party service provider of SBU, Princetech Company, was the one who was hacked.
SBU had already reached out to both the NBI and National Privacy Commission regarding this breach.
With the limited facts released to the public, it is clear that this incident is a Personal Data breach requiring mandatory notification to both the National Privacy Commission and the affected Data Subjects.
For there to be a mandatory notification the following circumstances must concur:
- The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
- There is reason to believe that the information may have been acquired by an unauthorized person; and
- The personal information controller or the Commission believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
In this case, some of the information that was compromised is clearly sensitive personal information, based on early assessments there is reason to believed that it has been acquired by an unauthorized person, and simply by the nature of the data compromised we can infer that the data subject is at risk.
University of the Philippines-Cebu
A document was uploaded in Scribd, a document sharing platform, containing the names of students and alumni of U.P. Cebu. This is believed to have come from the Student Evaluation on Teaching or SET.
This was a day before the multiple “dummy accounts” for these individuals were made on Facebook. The admisnistration of U.P. Cebu, later on admitted that the SET had been hacked.
However, the administration assures their data subjects that no other personal information, aside from the name and password in SET, was gathered and compromised, since the SET is a separate system from their Student Portal which would contain more sensitive personal information.
U.P. Cebu has already contacted the National Privacy Commission regarding this incident.
A mandatory notification to the data subject is still required in this case. Despite the incident not having compromised Sensitive Personal Information, just merely having the names of the data subjects facilitated the creation of “dummy Facebook account. ” These “dummy accounts” did facilitate identity fraud.
Indeed, advisories had been sent in light of the recent event of the surge in “dummy accounts” in Facebook, to collectively as a community track down and report these Dummy accounts in order to mitigate the harm it can possibly cause. However, this is not the notification contemplated by law.
Notification to the data subject of personal data breaches requiring mandatory notification must be done individually through a secure means. As for the contents, it must inform the data subject the nature of the breach, as well as the measures taken to address the breach and reduce the negative effects, and lastly any assistance provided, if any.
What can we learn from these incidents?
First, both universities immediately sought the help of the National Privacy Commission. As such, they were able to notify the Commission of the incidents, as soon as possible. No matter how incomplete their information, since no full investigation would have been completely made within the time frame, they still went and notified the Commission. This enabled them to better respond to the incident at hand.
Second, it is the job of everyone to spot possible breaches. Since, some breaches are really hard to detect. As with the case with U.P. Cebu, it was an uploaded document that was a catalyst of investigation. While some breaches are loud and imposing, much like what happened to Beda and their dafeaced Bedist Student Portal, many more are covert like the one with U.P. Cebu.
Lastly, having early detection that a breach occur clearly has an effect how much damage it can cause. As with the case of U.P. Cebu, since these events are highly publicized and had been made known to people, the whole community proactively fought against these “dummy accounts” which might have caused more damage if it remained undetected. Although, these dummy account encompasses more than just the U.P. Cebu students alumni, but other individuals as well.