After 'Comeleak,' NPC to audit government websites

Ron Gagalac, ABS-CBN News

Posted at Jan 06 2017 06:26 PM

The National Privacy Commission (NPC) will be conducting audit and inspection of websites of government institutions, banks, and health institutions to determine the level of data privacy security and to help avoid a repeat of the hacking of the Commission on Elections (Comelec) website last year dubbed as "Comeleaks."

NPC Deputy Commissioner Atty. Ivy Patdu said the NPC has already tasked its Compliance and Monitoring division to go about cracking the codes of the websites to learn how strong or weak the system that was put in place against professional hackers. 

"Sila ngayon ang tumitingin kung totoo ang mga reports na sinasabi sa amin na may kahinaanan ang mga website, sila ang nag checheck, at kung may makita, nagbibigay kami ng payo kung ano dapat nilang gawin," Patdu said. 

(They are the ones who are looking into whether the reports that the websites have weaknesses are true. They check and whenever they see something, we advise on what they should do.)

From March to April of last year, a group of hackers defaced the websites of Comelec and stole more than 77 million records in the Comelec system. 

Two suspects, namely, Paul Biteng and Jonnel De Asis, were arrested and later admitted to have participated in the Comeleaks. 

But Biteng said that aside from Comelec, he was also able to hack more than 20 other government website, and that other sites were highly vulnerable to hacking. 

At present, the NPC will attempt to crack the government websites, banks and health institutions to test their vulnerability, and if found weak, recommend security measures thereafter.

"Masyado lang silang madami kaya gumagawa sila ng sistema ngayon na per sector. Let’s say, sa health sector, sino unang iche-check, hindi lahat agad aga machecheck, pero may mache-check" Patdu said. 

(There are just too many of them which is why they are making a system per sector now. Let’s say what should we check first in the health sector. We can’t immediately check everything but there are ones that will be checked.)

The NPC has started talking to PhilHealth to further improve its data security measures since confidential information on the health of its members are at risk of being breached in case their system is hacked.

They also reminded private, commercial, and government banks to fully comply with the Data Privacy Act to avoid any legal problems if their websites are found to be insufficient in data security. 

NPC reminded all offices, private and public, who have been holding data subject information to comply with the requirements of the Data Privacy Act of 2012. That is, to employ a Data Protection Officer that will ensure compliance to the Act; data privacy assessment; privacy policy; security measures; and breach management procedures. 

"Kahit na pinakasecure na system pwede ma-breach, hindi mo sya masisiguro, kaya mo lang palakasin ang sistema mo para maging maliit ang chance na magkakaroon ng breach," Patdu said. 

(Even the most secured system can be breached. You cannot ensure it, you can only improve your system so there is a slim chance that there will be a breach.)