NPC or­ders int’l air­line to ad­dress data breach is­sue


Per­sonal data of over 100,000 Filipinos have been com­pro­mised in a breach on the sys­tem of an in­ter­na­tional air­line ear­lier this year, ac­cord­ing to the Na­tional Pri­vacy Com­mis­sion (NPC).

$ UHSRUW VXEPLWWHG E\ &DWKD\ 3DFLÀF to the com­mis­sion re­vealed that data of 102,209 Filipinos were com­pro­mised in the breach that hap­pened in March.

Among those ex­posed were around 35,700 Philip­pine pass­port num­bers, as well as credit card de­tails of 144 Filipino users.

In an or­der dated Oct. 29, NPC com­plaints and in­ves­ti­ga­tions divi­sion chief Fran­cis Eus­ton Acero di­rected Cathay Pa­cific of­fi­cials to ex­plain within 10 days why it failed to timely no­tify the FRPPLVVLRQ RI WKH EUHDFK WKDW DͿHFWHG Filipinos.

In ad­di­tion, the NPC has or­dered CaWKD\ 3DFLÀF WR VXEPLW ZLWKLQ ÀYH GD\V fur­ther in­for­ma­tion on mea­sures be­ing taken to ad­dress the breach.

He noted in the four-page or­der that the in­ci­dent falls un­der the Philip­pine Data Pri­vacy Act of 2012, which re­quires data con­trollers to re­port an in­ci­dent of data breach within 72 hours af­ter its dis­cov­ery.

“For a full ap­pre­ci­a­tion of the cir­cum­stances sur­round­ing this re­port, and the data breach that it de­scribes, it is nec­es­sary to re­quire Cathay to ex­plain, in writ­ing, why Cathay and its re­spon­si­ble R΀FHUV VKRXOG QRW EH SURVHFXWHG XQGHU the pro­vi­sions of the Data Pri­vacy Act of 2012 for Con­ceal­ment of Se­cu­rity Breaches In­volv­ing Sen­si­tive Per­sonal In­for­ma­tion,” the NPC said.

The NPC said the air­line no­ticed sus­pi­cious ac­tiv­i­ties on its sys­tem on March 13 DQG RQ 0D\ &DWKD\ 3DFLÀF·V IRUHQVLFV in­ves­ti­ga­tors con­firmed there was unau­tho­rized ac­cess to some in­for­ma­tion ZLWKLQ WKH DLUOLQH DͿHFWLQJ WKH SHUVRQDO GDWD RI SDVVHQJHUV RI ERWK &DWKD\ 3DFLÀF and Hong Kong Dragon Air­lines Ltd., as ZHOO DV RI PHPEHUV RI WKH IUHTXHQW Á\HU pro­gram Asia Miles.

Among the ex­posed in­for­ma­tion were pas­sen­ger name, na­tion­al­ity, date of birth, phone num­ber, e-mail, credit card num­ber, ad­dress, pass­port num­ber, iden­tity FDUG QXPEHU IUHTXHQW Á\HU PHPEHUVKLS num­ber, cus­tomer ser­vice re­marks and his­tor­i­cal travel in­for­ma­tion.

Cathay, through its rep­re­sen­ta­tive ODZ\HU 3HULFOHV &DVXHOD RQO\ QRWLÀHG WKH NPC of the in­ci­dent last Oct. 25 af­ter it de­ter­mined “very re­cently” the na­tion­al­i­ties RI WKRVH DͿHFWHG

“On the sur­face, there ap­pears to be a fail­ure on the part of Cathay to re­port to this com­mis­sion what it knew about the GDWD EUHDFK DW WKH WLPH LW FRQÀUPHG XQDXWKRUL]HG DFFHVV DQG ZKDW WKH DͿHFWHG GDWD ÀHOGV DUH µ WKH RUGHU UHDG

´&DWKD\·V WHUP ¶YHU\ UHFHQWO\· GRHV not es­tab­lish any time­line through which we may de­ter­mine the time­li­ness of the re­port dated 25 Oc­to­ber 2018,” it added.

The NPC said the fail­ure to re­port such a data breach in a timely man­ner may reTXLUH WKH FRPPLVVLRQ WR IXOÀOO LWV PDQGDWH to en­sure com­pli­ance of per­sonal in­for­ma­tion con­trollers with the pro­vi­sions of the Data Pri­vacy Act.

“Philip­pine law im­poses crim­i­nal li­a­bil­ity on per­sons who, af­ter hav­ing knowl­edge of a se­cu­rity breach and of the obli­ga­tion to no­tify the com­mis­sion un­der Philip­pine law, in­ten­tion­ally or by com­mis­sion con­ceals the fact of such se­cu­rity breach,” the com­mis­sion said.

When a fail­ure to no­tify or de­lay hap­pens, the NPC may in­ves­ti­gate fur­ther on cir­cum­stances sur­round­ing the data breach.

Newspapers in English

Newspapers from Philippines

© PressReader. All rights reserved.