Category Archives: data privacy

School yearbook used as food wrapper

Schools carry a huge amount of personal data – both of their staff and students. With Data Privacy Act of 2012 (RA 10173) in full effect, everyone is expected to be compliant (or, at the very least, doing something to be compliant). Schools are no exemption.

There’s this one Facebook post that caught our attention. It was posted by one user who shared what seems to be pages of their school’s yearbook. Her caption showed that they haven’t received the said yearbook but was surprised to know that it since been used as a wrapper for some rice porridge. Her status may look like harmless but those pages of their yearbook contain a lot of personal information that have been shared to some strangers.

Based on the screenshots, personal information such as the students’ photos, full names including middle names, and their respective courses were divulged without their authorization.

While most commenters took the incident lightly and even laughed at the fact that they have finally seen a glimpse of their yearbook, some realized that what happened is a “legit a security risk” and an “invasion of privacy”.

It seemed like this incident has already been reported to the proper authorities and that they are now looking into the matter. We’ve also tried reaching out to some of the people in the post to get feedback and updates.

Whoever the printing company behind this yearbook is, they have some explaining to do with the school and their clueless students. The school also needs to review their existing data sharing agreements (assuming they have one) with entities such as this printing company.

Note: We have intentionally removed the names of the students and other information in the associated photos. We will also update this article as soon as we get valuable information from the people we have contacted.

Related Posts:

Magecart infects ABS-CBN Store with payment skimmer

Willem de Groot, a Dutch security researcher, recently reported that local broadcasting giant, ABS-CBN Broadcasting Corp., is the latest company to be targetted by Magecart, the cybercriminal group behind the British Airways and Ticketmaster data breach.

In his latest findings, de Groot discovered an obfuscated JavaScript code in ABS-CBN Store, the company’s online merchandize shop. This code has been up since at least August 16th, according to the security expert. This malware works during the checkout process through a browser-based interception, defeating the security of encrypted connections (https/SSL).

His research shows that the personal information of ABS-CBN Store’s customers along with their credit card details are being sent to a server located in Irkutsk, Russia. This specific server belongs to the same Russian network as, a different malware campaign that the researcher also discovered recently.

Before publishing the report, de Groot already contacted the TV network but has yet to receive a response. We will also try to contact ABS-CBN and the National Privacy Commission (NPC) for this latest security breach.

In a separate report, ZDNet spoke with RiskIQ’s Senior Threat Intelligence Analyst Yonathan Klinjnsma who went on confirming that this security incident is indeed the works of Magecart.

As of this writing, the ABS-CBN Store is currently down. The company  may have been working on this report already.


9/19/2018 – ABS-CBN released a press statement regarding this matter. The company confirmed that they have temporarily shut down the affected website ABS-CBN Store. Apparently, this also includes the UAAP Store. The Kapamilya Network was able to identify 213 affected customers as of this writing and have started contacting them.

In compliance with NPC, the company said that they are now closely coordinating with the agency while the investigation is ongoing.

Below is a copy of the statement that came from Kane Errol Choa, ABS-CBN’s Head for Integrated Corporate Communications.

NPC also released their press statement through Privacy Commissioner Raymund Enriquez Liboro. The commissioner said that the Data Protection Officer of ABS-CBN, Jay C. Gomez, already notified them of the breach. The agency also said that they are monitoring the situation. ABS-CBN should be able to provide them a copy of the full report within five days.

Related Posts:

K1LL3rB4LL compromises DepEd Marinduque website

Sometimes, you would wonder how our government act on issues involving cybersecurity. The Department of Education (DepEd) is a top favorite probably because most of their websites have little to zero security. Their assigned IT personnel, if there’s one, does not seem to care about the reputation of the agency nor with the information that their websites store. It may not be their top priority as of the moment since they’re also bombarded with more pressing national issues but shouldn’t DepEd do something about these rampant defacements? Isn’t it alarming?

A recent report sent to us compromises another website of the agency. A hacker nicknamed K1LL3rB4LL defaced the website of DepEd Marinduque. The defacement took place last night and the message that they left to the domain remains up as of this writing.

The message of the hacker is simple – he wanted the system administrator of the site work like a real IT pro. He’s suggesting to apply the necessary patches on the website as soon as possible. It would probably take some time for them to fix this security issue but hopefully, they are already on top of this now. If not, they should be ready for the worse. It’s just a matter of time for other hackers to target their website to do more sophisticated attacks.

Based on the report, the hacker managed to get through the admin panel of the website which led him to view some credentials. Using those pieces of information, he was able to log in to DepEd’s Learning Resource Portal. You could just imagine the extent of this breach with all the possibilities that this hacker could do.

K1LL3rB4LL claimed that he’s from Marinduque and is really concerned about the security of DepEd’s website in their province. He already reached out to them before but was not satisfied as they’re not acting on it appropriately.

In a social media post, Anonymous Quezon City shared the email users that K1LL3rB4LL acquired after compromising DepEd Marinduque. To avoid spreading the confidential information, we purposely removed the associated Pastebin link in the image below (although we know you’re just one click away in getting hold of that information).

We do not condone this and other similar attacks to any websites even if we share the same sentiment that our government should seriously consider investing in cybersecurity.


September 11, 2018 – Reported this security incident to 8888 under Ticket #: G20180911-447-5

September 14, 2018 – DepEd Marinduque sent us an email saying that they have already received the report from 8888 and security measures are now being deployed to the website. As of this writing, the site is currently down and is just being redirected to their web hosting provider.

**End of Update**

We truly appreciate that the agency is really acting on this. Kudos, to DepEd Marinduque! We hope that this would be your last security incident.

Related Posts:

Xscyth3 of PureHackers breaches PUP school database

Perhaps, one of the wildest dreams of college students is to hack their school’s database and alter their grades according to their will. Of course, it’s illegal and we don’t encourage this kind of cheating (or any form of it, for that matter). However, in the latest security breach that we uncovered, a top Philippine university got compromised and the culprit behind it is claiming that he’s able to access the school’s database containing the students’ records including their grades.

Hacker Noigel Dust aka Xscyth3 managed to compromise a subdomain of Polytechnic University of the Philippines (PUP). He initially uploaded a readme.txt yesterday to probably test his access. It’s the hackers way of ‘owning’ their compromised websites. They vandalize it with their names, affiliated hacking groups and their messages. However, web administrators of PUP may have cleaned it up this morning as the path is no longer accessible. Xscyth3 then up the path RRB.php for the same purpose.

Students have started to flock to the hacker’s post. On the other hand, PUP has yet to release a statement about the breach. Their data protection officer is expected to contact the National Privacy Commision as this obviously involves personally identifiable information. We will keep this article updated as soon as we get new information.

As for the background of the hacker, Xscyth3 is currently affiliated with PureHackers, the same hacking group who compromised Frontrow yesterday. Based on his profile in cybercrime archive Zone-H, he has long records of compromised websites under his belt including the recent ones such as that of Laguna University and Department of Agriculture’s Bureau of Plant Industry Portal. Both defacements were recorded last July 18 and 17 respectively but are still up as of this writing.

Related Posts:

Hacker ‘Spade’ defaces Frontrow, 3 more sites

Website of the multi-level marketing firm, Frontrow, has just been defaced by a hacker who goes by the name of Spade and is associated with the hacking groups PureHackers and BloodSecurity International.

Based on what Spade posted on the defaced page, it seemed like he wanted to challenge  the security of the company’s official website as he left a message saying “Got Security?”

The defaced page was also set up to eventually redirect it to a porn page. Its meta refresh tag shows a parameter that would automatically redirect visitors to Beeg, a known porn site.

Aside from Frontrow, Spade also managed to do the same web defacement to three more websites.

We have yet to confirm the extent of this security incident. The main page has a member’s login portal. If compromised, Frontrow’s thousands of members are in danger of data privacy breach. The company may face the National Privacy Commission to report the details of the security breach.

Spade described himself as a ‘security researcher’ but his acts often fall under blackhats for which our government tagged him a ‘hacker’.

His groups, PureHackers and BloodSecurity International, are known hacking groups that generously share information about various hacking tools on their social media accounts.

Frontrow has yet to release a statement about the recent hack. Hopefully, their web administrator and IT security personnel are already aware of the security breach and are already working on it as the defaced page is still up as of this writing.

Related Posts:

Klook announces data breach incident

Popular travel website, Klook, recently announced that their company may have suffered from a third-party data breach incident potentially harming their customers’ personal data and credit card information.

According to their statement published last June 29th, Klook discovered a malicious JavaScript code in one of their analytics tool used on their website. The compromised third-party tool called SOCIAPlus has since been disabled.

The scope of the incident is said to be only limited to transactions made on the Klook website between December 11, 2017 to June 13, 2018. Customers who availed of their services through the Klook Android and iOS apps should not be affected.

Klook added that they have already initiated a forensic investigation that would further check the extent of the breach and if there were indeed customers affected. Potential customers who might’ve been affected were also notified via email.

Coincidentally, we stumbled upon a post in one of the local travel groups in Facebook of an Overseas Filipino Worker (OFW) claiming that their credit cards previously used for their recent travel to Hong Kong and Macau were used to purchase in iTunes. Based on her story, one of the unauthorized purchase has amounted to 150,000 Yen. The travel package that she availed apparently came from Klook. She also shared screenshots of an email coming from the travel company which seemed to be a data breach notification. Her transaction with the travel company happened last January which also falls within the timeline of the data breach.

We have yet to see any updates from the National Privacy Commission (NPC) if this data breach incident has already reached their office. Or, if there were any complaints filed by affected customers based in the Philippines. We’ll try to reach out with the OFW that shared her Klook data breach experience in Facebook to check if she had communicated this issue with NPC. Klook also operates in the Philippines, and as such, covered by the Data Privacy Act of 2012.

The travel company said that they’re opening communication lines to customers who would like to inquire about the latest data breach. Customers may just email

Should we get any new information from this security incident, we’ll keep this article updated.

Related Posts:

NPC launches 1st National Data Privacy Conference in PH

Gathering around 2,000 data protection officers (DPOs) and data privacy enthusiasts from various sectors including the academe, government, and corporations,  the National Privacy Commission (NPC) successfully opened the Privacy Awareness Week (PAW) by launching the first National Data Privacy Conference in the country.

Held at the Philippine International Convention Center in Pasay City, the two-day conference that started on Monday, May 28th, was a breakthrough activity of the agency whose mandate was “to administer and implement the Data Privacy Act (DPA) of 2012”. Dubbed as the country’s privacy watchdog, the agency is also tasked to “monitor and ensure compliance of the country with international standards set for data protection.”

This year’s PAW centered on the theme “Protecting the Filipino’s Right to Data Privacy”.

The conference was a success in keeping all DPOs abreast of all things data privacy. To make everyone in sync with how DPOs should be interpreting DPA and the agency’s regulations and processes, the conference outlined all the necessary talks and workshops that would allow the participants to learn and mingle with fellow data privacy enthusiasts while at the same time enjoying the entire conference.

NPC’s first Data Privacy Conference not only gave a glimpse of what’s in store for everyone in the years to come as data subjects and protectors but also equipped all to have the right mindset towards the law and the agency.


Related Posts: