MANILA - The National Privacy Commission (NPC) has already been notified of the data breach that hit Metro Pacific Tollways Corporation (MPTC) on Saturday night, said an official on Tuesday.

But the NPC said it was only given an initial breach report on Tuesday morning, so it is still awaiting more details on the incident such as the number of motorists with Easytrip accounts that were actually affected.

“All personal information controllers, when they experience a personal data breach, you have 72 hours from discovery so they are availing of their 72 hours,” said Atty. Rainier Milanes, the Chief of NPC’s Compliance and Monitoring Division, in an interview with ABS-CBN News.

There are several things that the NPC asks of companies affected by cyber attacks: a brief description of the data breach, how many data subjects were affected, the vulnerability of the system, as well as pre and post-breach security measures they undertook.

“So that we can assess you with administrative fines if we find na may kapabayaan or kakulangan. Were they able to identify affected data subjects? Did they notify them? Did they give them assistance?” said Milanes.

The NPC will also vet all the other information reported by the tollway operator.

“Kasi kung may hindi ka sinabi sa report mo, pwedeng maging concealment yun of a Personal Data Breach kasi hindi ka truthful… We will definitely find a violation of the DPA (Data Privacy Act),” he said, adding that the case would then be forwarded to the Complaints and Investigation Division.

POSSIBLE RISKS

Milanes said a possible danger that may come out of this data breach is the leaking of financial information.

“The RFID is connected to a payment system, and then you top-up… Baka doon yung gustong makuha ng threat actor, yung information about credit cards, yung billing, yung GCash, kasi yun yung naka-link sa RFID account mo,” he said.

To mitigate the risk of getting hacked, Milanes said it is “good practice” to unlink debit or credit cards from the RFID account and then use payment systems that implement multi-factor authentication and not just SMS OTPs to process payments.

“If they receive notification from MPTC that their data might have been compromised seek assistance from MPTC as this is their right as a Data Subject,” he said, in a separate statement.

But cybersecurity expert Jay Gomez also advised affected customers to first make sure that they are engaging with legitimate MPTC personnel.

“Watch out for phishing emails that may come from MPTC related to the breach and would instruct them to click on a link to update their accounts or information. Bad guys will do this to capitalize (on) that incident,” he said in a message to ABS-CBN News.

As for Data Ethics PH Founder Dominic Ligot, affected clients may also change their log-in credentials for other online banking or social media platforms if they used the same information they submitted to MPTC.

The MPTC, which operates expressways like NLEX and SCTEX, earlier assured its customers that all Easytrip toll wallet balances are “intact and secure” despite the “limited data breach” on user accounts.