1.

BPI Data Breach

The potential harm to thousands of data subjects prompted the
Commission to immediately coordinate with the BPI and its data protection
officer to work towards containing the breach and lessening the impact of
the incident. The BPI incident involved a breach in security affecting the
availability and integrity of information that relates to individuals.
Chapter 1 General Provisions

SEC. 4. Scope.

This Act applies to the processing of all types of personal information and
to any natural and juridical person involved in personal information
processing including those personal information controllers and processors
who, although not found or established in the Philippines, use equipment
that are located in the Philippines, or those who maintain an office, branch
or agency in the Philippines subject to the immediately succeeding
paragraph: Provided, That the requirements of Section 5 are complied with.

Penalties:

Chapter VIII

SEC. 29. Unauthorized Access or Intentional Breach.

– The penalty of imprisonment ranging from one year to three years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who knowingly and unlawfully, or violating data confidentiality and
security data systems, breaks in any way into any system where personal
and sensitive personal information is stored.

2. Cebuana Lhuiller Data Breach

a pawnshop and remittance company reported a data breach involving one

of its servers being used for marketing operations compromising the data of
about 900,000 of their clients. According to Cebuana, among the data
compromised was customer information such as birth date, addresses, and
sources of income. The company was quick to reassure the public that
transaction details were not compromised and that its main servers
remained unaffected. It also claimed that the number of affected individuals
only represented 3% of its total clientele. The company said that it had
reported the breach to the NPC.

Chapter IV

Section 16. Rights of the Data Subject.

Any information supplied or declaration made to the data subject on these

matters shall not be amended without prior notification of data
subject: Provided, That the notification under subsection shall not apply
should the personal information be needed pursuant to a subpoena or
when the collection and processing are for obvious purposes, including
when it is necessary for the performance of or in relation to a contract or
service or when necessary or desirable in the context of an employer-
employee relationship, between the collector and the data subject, or when
the information is being collected and processed as a result of legal
obligation.

Penalties:

Chapter VIII

SEC. 25. Unauthorized Processing of Personal Information and

Sensitive Personal Information.

–The unauthorized processing of personal information shall be penalized

by imprisonment ranging from one year to three years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be imposed on persons who process
personal information without the consent of the data subject, or without
being authorized under this Act or any existing law.

3.Comelec Data Leak

In a Facebook post before midnight Monday, March 28, a group calling

itself LulzSec Pilipinas wrote, "A great lol to Commission on Elections,
here's your whoooooole database." This appears to be the first major open
leak of elections-related data by a hacker group in the Philippines. The data
exposes not only include publicly available information, but also voter data,
voter registration data, and databases relevant to the functionality of the
website. As of early afternoon Monday, the Facebook post had 3 mirror
links to an index of files that could be downloaded. According to the
Readme text accompanying the files, these files are "the whole database
leak of Commission on Elections." The group added that while "some of the
tables are encrypted by Comelec," it has "the algo(rithms) to decrypt" the
data. The files include comweb.sql.qz, a 312GB archived file.

Chapter 1 General Provisions

Section 3 Definitions of Terms

Personal information controller refers to a person or organization who

controls the collection, holding, processing or use of personal information,
including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal
information on his or her behalf.

Penalties:

Chapter VIII

SEC. 29. Unauthorized Access or Intentional Breach.

– The penalty of imprisonment ranging from one year to three years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who knowingly and unlawfully, or violating data confidentiality and
security data systems, breaks in any way into any system where personal
and sensitive personal information is stored.
Privacy Commission probes April
hacking incidents
Local hackers, who call themselves Pinoy LulzSec, on Monday hacked into the database of the
Armed Forces of the Philippines and leaked information, including files on military personnel. The
group also managed to hack into government websites, as well as websites of universities and
private companies, including Ateneo de Zamboanga and the Technological University of the
Philippines in Taguig. (PNA)

SEC. 13 Sensitive Personal Information and Privileged Information. – The processing of

sensitive personal information and privileged information shall be prohibited

F. The processing concerns such personal information as is necessary for the protection of lawful
rights and interests of natural or legal persons in court proceedings, or the establishment, exercise
or defense of legal claims, or when provided to government or public authority.

PENALTIES

SEC. 29 Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging

from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who knowingly and unlawfully, or violating data confidentiality and security data
systems, breaks in any way into any system where personal and sensitive personal information is
stored.

https://www.pna.gov.ph/articles/1066539