Statement of CHR Focal Commissioner on Emerging Technologies, Faydah Maniri Dumarpa, on the series of hacking incidents and cyberattacks on several government agencies

Statement of CHR Focal Commissioner on Emerging Technologies, Faydah Maniri Dumarpa, on the series of hacking incidents and cyberattacks on several government agencies

The Commission on Human Rights (CHR), through Commissioner Faydah Maniri Dumarpa, expresses grave concern over the series of hacking incidents and cyberattacks on several government agencies. These attacks pose an imminent threat to national security, public trust, and the integrity of government operations, particularly in this digital age.

As Focal Commissioner for Emerging Technologies, Commissioner Dumarpa highlights the interrelatedness of emerging ICTs and human rights by pointing out the need to limit the negative impacts of these technologies through a rights-based policy framework.

“The Commission hopes that human rights-based approaches are incorporated into relevant programs and policies, which may aid in the protection of the rights of Filipinos in the digital age. As such, we are also looking forward to doing a holistic study on how emerging technologies and human rights may be further studied so we can come up with recommendations to help the State and ultimately our people,” she explains.

It must be noted these consecutive incidents call for a more forward approach in understanding the intersection between emerging technologies and human rights. The list includes:

On 22 September 2023, the Philippine Health Insurance Corporation (Philhealth) was the first to receive these attacks through the Medusa Ransomware. Personal and sensitive information about Filipinos, such as names, addresses, and social security numbers, were compromised. This is considered the country’s largest data breach incident since COMELEAK in 2016.

Early into January 2024, PhilHealth encountered yet another cybersecurity issue which resulted in glitches to its website. This incident was then clarified by the Department of Information and Communications Technology (DICT) to be caused by coding errors, rather than hackers, compared to its first data breach.

The second case involves the Philippine Statistics Authority (PSA), which announced on 12 October 2023 that personal and sensitive data from its Community-Based Monitoring System had been accessed by “bad actors.”

The third incident occurred on 15 October 2023, when the House of Representatives’ website was hacked and defaced before being temporarily rendered inaccessible.

The fourth and most recent hacking incident happened on 25 October 2023 when the DICT “sandbox” website was reportedly hacked. However, DICT Spokesperson Aboy Paraiso clarified that the site that was compromised contained no sensitive data or personal information.

As a response, Senator Risa Hontiveros proposed Senate Resolution (SR) No. 829 to assess the government’s current capacity to secure critical strategic infrastructure from cyberattacks and other potential threats. Various government agencies such as the National Privacy Commission (NPC) are also currently conducting investigations to determine the extent of the cyberattack as well as determine lapses and cases of possible institutional negligence.

The Commission acknowledges the efforts of concerned government agencies to mitigate the situation. Alongside this, we continue the call to have a comprehensive action to fortify cybersecurity defenses, bolster collaboration with Information and Communications Technology (ICT) and cybersecurity experts, and allocate the necessary resources to protect sensitive information and critical ICT infrastructure in the country.

As current developments in technology pose threats to human rights, particularly the right to privacy as outlined in Article 12 of the Universal Declaration of Human Rights, CHR emphasises the importance of upholding the principles of privacy and personal data protection.

In addition, as stated in the NPC guidelines, clients have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of their personal data, taking into account any violation of your right and freedoms as data subject.

Furthermore, data has come to be viewed as the new currency of the information age. When data is used correctly, it can drive innovation, enhance services, and improve people’s quality of life. This valuable currency, however, must be protected from misuse, exploitation, or improper exposure.

As the State continues to eye for the digitalisation of government agencies and services, measures should be implemented to ensure that digital privacy standards are met—particularly, accountability systems should be strengthened and cybersecurity defenses prioritised.

We continue to reiterate the State’s obligation to “ensure that personal information in information and communications systems in the government are secured and protected” as enshrined in Section 2 of the Data Privacy Act of 2012. Recognising the vital role that ICT play in nation-building, the State must take the necessary steps to ensure its proper management and regulation to avoid endangering Filipinos’ right to privacy which is crucial in the realisation of other equally important rights such as that of one’s right to life, liberty and security among others.###