MANILA -- More reports of data breaches were received by the National Privacy Commission in 2023, Commissioner John Henry Naga said on Thursday.

In the Privacy Commissioner’s Report for 2023, Naga noted investigating “high profile breaches” involving government agencies such as PhilHeatlh, Philippine National Police, and the National Bureau of Investigation as well as the glitch on the popular e-wallet app GCash.

DICT says looking at suspects in PSA data breach

'You've been hacked': House website defaced, goes offline

“It’s a challenging time because of the threats that we have received as well as the budgetary requirement we got from the government,” Naga said.

Naga told ABS-CBN News that 2023 saw a spike in data breaches in government agencies.

But the privacy commissioner said that it appears to be a global trend, and should be a reminder for government organizations to register their data processing systems with the agency.

Under the Data Privacy Act, government agencies engaged in the processing of personal data of at least 1,000 individuals should be registered with the NPC.

With the national government’s push for digitalization, the NPC stressed that cyberthreats is on the rise and potential vulnerabilities of infrastructures should be addressed.

“The problem with 2023 is that government agencies are the one being attacked by these cybercriminals. Previously kasi, mostly ang mga breaches natin ay mas marami pero personal, mga errors lang in sending emails… But now kasi, parang they’re a syndicate or people that what they do is hack the government sites,” Naga said.

“Previously, our breaches mostly were more personal, just errors in sending emails... But now, it seems like they're a syndicate or people that what they do is hack the government sites.)

The commission received 421 breach notifications in 2023 mostly from hacking, theft, phishing, and unauthorized access. In 2022, NPC handled 224 data breaches. 

Naga urged organizations to promptly report to the commission any potential data breach.

“Breach notification kasi, it comes after the breach. You notify us that there’s a breach that happened sa organization and sadly, some organizations do not report to us… Nalaman na lang because may breach na malakihan… They did not report to us until sumagot na siya na malaki,” Naga said.

(We found out because the breach became huge...they didn't report to us until it blew up.)

For 2024, NPC wants some 20,0000 organizations, including local government units and government agencies, to be registered with them. 

The commission has doubled its registration in the recent year to 7,000 organizations or Personal Information Controllers and Personal Information Processors, from an average of 3,000 organizations in the previous years.

NPC also plans to build its Compliance and Monitoring Command Center this year for monitoring of data processing systems.

“Once you are registered, we have access to data processing systems. We will see to it na all data processing systems are in place - may firewall, may antivirus, so it will not be easily attacked by actors,” Naga said.

NPC has been given an additional P100 million in its budget for fiscal year 2024 to build its command center.

NPC conducts on-the-spot privacy sweep, compliance checks at Parañaque mall