For one aiming to be a Smart Campus and having an IT expert as president, the Catanduanes State University’s actions regarding the recent data breach of its Electronic New Government Accounting System (eNGAS) was not smart enough.
According to the letter received sometime on or about August 15 by the affected employees and companies transacting business with CatSU, the accounting system was attacked by ransomware on July 24, 2024 and discovered two days later.
The letter, titled “Mandatory Personal Data Breach Notification for Data Subjects,” strangely did not have a date and the sender was simply identified as “The Breach Response Team.”
Although the letter bore the official CatSU logo and heading, it bore no name of a known university official and his or her signature.
“The system is currently inaccessible and the data therein was encrypted,” the letter said, with the hackers presumably responsible for encrypting the data and preventing the university from accessing it.
According to someone in the know, the hackers reportedly asked for a certain amount as ransom for the encrypted data and it is reasonable to assume that the university management chose not to accede to the demand.
In informing the “data subjects” of the measures taken to “address the breach and reduce the harm,” the mysterious Breach Response Team assured they are committed to resolving the issue “promptly” and strengthening its cybersecurity measures to prevent future incidents.
“Please do not hesitate to contact our Data Protection Officer for further information at 09086986268 or dpo@catsu.edu.ph,” the team advised the affected data subjects.
This is what the owner of Tri-Star Press & General Merchandise, one of the affected companies and sister firm of the Catanduanes Tribune, precisely did.
And got no response at all.
Two emails, first on Aug. 16, then on Aug. 21, asking for more information as advised, went unanswered.
Both the university website and its Facebook account did not carry news about the data breach, with the social media account replete with the president attending the daily orientation of incoming first-year students and other events.
The silence of the concerned university officials on the incident that affected over 500 individuals and entities and the considerable length of time (three weeks!) it took the “Breach Response Team” to notify the data subjects, to those who are familiar with Republic Act 10173, is understandable as you may later realize.
Section 20(f) of the Data Privacy Act of 2012 requires the personal information controller, in this case CatSU or anybody in charge of the system, to notify both the National Privacy Commission and the data subject within 72 hours “upon knowledge or reasonable belief…that a personal data breach has occurred.”
The notification is intended to allow data subjects to take the necessary precautions to protect themselves against the possible effects of the breach.
While the law allows a delay in notification on limited grounds, it does not excuse such delay if it is used to perpetuate fraud or to conceal the personal data breach.
Perhaps, the university, its unnamed data protection officer and Breach Response Team are only too aware of Section 30 of the same law, which punishes concealment of security breaches involving sensitive personal information with imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
The penalty, it states, shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach.
Surely, a review of the timeline of the breach and the official notification points to the fact that the data subjects were not notified of the hacking of their personal data within the required 72 hours.
Those involved in ensuring the security of the personal data of CatSU employees and clients must be very concerned about this provision of law, hence, their unusual silence.