Initial findings of an investigation of the reported personal data breach within the Department of Science and Technology (DOST) indicate the breach includes the personal data of approximately 597 data subjects, all of whom are employees of DOST, according to the National Privacy Commission (NPC).
The NPC said in a statement its Complaints and Investigation Division (NPC-CID) is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks.
NPC-CID on April 4 conducted an on-site investigation at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data.
Preliminary assessments revealed the breach potentially exposed personal information and sensitive personal information, such as names, gender, civil status, and addresses of DOST’s employees.
NPC said the data dump uploaded by the threat actor included several resumes of individual applicants to DOST.
The NPC received a breach notification from DOST on April 5 . Under NPC Circular 16-03, it is mandatory for the DOST to notify the affected data subjects and the NPC within 72 hours upon knowledge of or a reasonable belief that a personal data breach has occurred.
