PHILIPPINES INFORMATION, COMMUNICATION AND TECHNOLOGY CASES

REPUBLIC ACT NO. 10173 - DATA PRIVACY ACT OF 2012

CASE 1:

COMELEAK

(MARCH 2016)

In March 2016, the Philippine Commission on Elections (COMELEC) encountered a severe data breach
orchestrated by the hacker group "LulzSec Pilipinas." Exploiting vulnerabilities within the COMELEC website, the
group employed SQL injection techniques to breach the database, compromising the personal information of 55
million registered voters. The exposed data included names, birthdays, addresses, and passport numbers, marking
one of the largest breaches in Philippine history. Termed "Comeleak," this breach raised widespread concerns
regarding the security of government systems and the protection of citizen data. The group claimed responsibility for
obtaining the entire COMELEC database, highlighting significant lapses in cybersecurity measures. Subsequently,
legal proceedings ensued, and Paul Biteng, a 23-year-old IT graduate, was indicted by the Department of Justice
(DOJ). Biteng admitted to breaching the website to expose vulnerabilities but denied any intention to steal personal
data. However, on March 29, 2018, Biteng was found guilty of violating the Cybercrime Prevention Act of 2012,
resulting in a six-year imprisonment penalty.

LAWS RELATED:
Republic Act No. 10173 - Data Privacy Act of 2012

Republic Act No. 10175 - Cybercrime Prevention Act of 2012

CRIMINAL CASE COMMITTED :

Republic Act No. 10175 - Cybercrime Prevention Act of 2012

Republic Act No. 10173 - Data Privacy Act of 2012

RESULT OF THE CASE:

The breach resulted in the exposure of sensitive personal information of approximately 55 million Filipino voters,
including names, birthdays, addresses, and even passport numbers. This raised widespread concerns about privacy
and data security, as well as questions about the ability of government agencies to safeguard citizen data. Paul
Biteng, a 23-year-old IT graduate, was indicted by the Department of Justice (DOJ) in connection with the
Comeleak incident. Biteng admitted to breaching the COMELEC website to expose vulnerabilities but denied any
intention to steal personal data. However, on March 29, 2018, Biteng was found guilty of violating the Cybercrime
Prevention Act of 2012, resulting in a six-year imprisonment penalty.The Comeleak incident sparked public
awareness about the importance of cybersecurity and data protection. It prompted calls for reform within
government agencies to strengthen cybersecurity measures and ensure the protection of citizen data. The incident
also highlighted the need for improved legislation and enforcement mechanisms to address cybercrimes effectively.

REFERENCE:
https://fma.ph/comeleak-year-hence/#:~:text=The%20National%20Privacy%20Commission%20has%20released
%20the%20result,prosecution%20only%20of%20COMELEC%20Chairperson%20Andres%20D.%20Bautista.

https://newsinfo.inquirer.net/1539249/in-the-know-the-2016-comeleak

https://www.researchgate.net/publication/369184215_COMELEC_data_breach_2016_Case_Study

CASE 2:
 Massive Data Breach Exposes Over 1 Million Records from NBI, PNP, and Other
Government Agencies
(2024)

In a staggering revelation, it has come to light that a massive data breach has compromised the personal
information of over 1 million individuals, sourced from the databases of prominent Philippine
government agencies, including the National Bureau of Investigation (NBI), the Philippine National
Police (PNP), and several others. This breach represents one of the largest incidents of its kind in the
country, raising grave concerns about data security and privacy protection within government institutions.
The breach, which occurred in 2024, underscores the critical vulnerabilities existing within government
systems and the urgent need for enhanced cybersecurity measures to safeguard sensitive information.
Personal data exposed in the breach includes names, addresses, contact details, and potentially other
confidential information, leaving affected individuals vulnerable to identity theft, fraud, and other
malicious activities. The National Privacy Commission (NPC), the regulatory body responsible for
overseeing data privacy compliance in the Philippines, has launched an immediate investigation into the
breach. The NPC's inquiry aims to determine the scope and impact of the breach, identify the root causes,
and hold accountable any parties found to have violated data protection regulations.

LAWS RELATED:
Republic Act No. 10173 - Data Privacy Act of 2012

Republic Act No. 6713, Code of Conduct and Ethical Standards for Public Officials and Employees

REFERENCES:
https://newsinfo.inquirer.net/1758456/over-1-million-records-from-nbi-pnp-other-agencies-
leaked-in-huge-data-breach
https://nbi-onlineclearance.com/nbi-pnp-other-agencies-leak-over-1-million-records-in-massive-
data-breach/
 REPUBLIC ACT NO. 10175 - CYBERCRIME PREVENTION ACT OF 2012

CASE 1:
BDO Unibank Hacking
(2021)

In a recent development, prosecutors have taken decisive action against individuals allegedly involved in
the hacking of hundreds of accounts belonging to clients of BDO Unibank Inc. (BDO). The National
Bureau of Investigation (NBI) made significant strides in apprehending four suspects connected to the
cybercrime, marking a pivotal moment in the pursuit of justice. These charges stem from meticulous
investigations conducted by the NBI – Cybercrime Division (NBI-CCD), culminating in entrapment
operations carried out in January. Ronelyn Panaligan, operating under the guise of 'Luka Hanabi' on the
"Max Bounty" Facebook page, purportedly orchestrated the sale of dummy accounts. By luring victims
into providing personal information under the pretext of surveys, Panaligan facilitated the illicit
acquisition of verified GCash or Paymaya accounts, subsequently peddling them to other malevolent
actors. Ifesinachi Fountain Anaekwe (alias 'Daddy Champ') and Chukwuemeka Peter Nwadi are
purportedly the masterminds behind the "Mark Nagoyo Group," facilitating access to legitimate bank
accounts, crypto wallets, and point-of-sale terminals for nefarious purposes. During entrapment
operations, Anaekwe offered company accounts as 'dropping accounts,' while Nwadi's involvement is
subject to further investigation to ascertain probable cause for indictment.

LAWS RELATED:

Republic Act No. 10173 - Data Privacy Act of 2012

Republic Act No. 10175 - Cybercrime Prevention Act of 2012

Republic Act No. 8484 – Access Devices Regulation Act of 1998

CRIMINAL CASE COMMITTED :

Republic Act No. 10173 - Data Privacy Act of 2012

Republic Act No. 10175 - Cybercrime Prevention Act of 2012

Republic Act No. 8484 – Access Devices Regulation Act of 1998

REFERENCES:

https://val.law/landmark-decision-ownership-of-trademarks-may-be-acquired-through-good-faith-use/
#:~:text=On%2029%20November%202007%2C%20Natrapharm%20filed%20a%20Trademark,was%20the
%20rightful%20owner%20of%20the%20mark%20%E2%80%9CZYNAPS%E2%80%9D .

https://batasfilipinas.com/zuneca-pharmaceutical-v-natrapharm-inc-g-r-211850-08-september-2020/
#google_vignette

CASE 2:
 San Beda University Website Hack
(2020)

San Beda University (SBU) finds itself grappling with a cybersecurity crisis as its student portal falls
victim to a malicious hacking incident. On June 5, the university discovered that an unidentified
hacker had infiltrated the student portal, compromising the personal data of its students and
sparking widespread concern among the educational community. The repercussions of this breach
extend far beyond the unauthorized access to email addresses and passwords. The hacker also
managed to obtain a trove of personal data, including students' birthdays, postal addresses, grades,
and statements of account. Such a breach not only compromises the privacy of individual students
but also raises serious concerns about the integrity and security of the university's digital
infrastructure. Prior to the confirmation of the hack, the student portal was defaced, with the hacker
brazenly displaying a threatening message: "Greetings San Beda University! Do we have your
attention now? We're expecting from you. Don't try to provoke us, this message may serve as a
warning." This brazen act served as a chilling reminder of the vulnerability of digital systems and the
audacity of cybercriminals.

LAWS RELATED:
Republic Act No. 10173 - Data Privacy Act of 2012
Republic Act No. 10175 - Cybercrime Prevention Act of 2012
Republic Act No. 8792 or the Electronic Commerce Act of 2000
CRIMINAL CASE COMMITTED :
Republic Act No. 10173 - Data Privacy Act of 2012
Republic Act No. 10175 - Cybercrime Prevention Act of 2012
Republic Act No. 8792 or the Electronic Commerce Act of 2000

REFERENCES:
https://val.law/landmark-decision-ownership-of-trademarks-may-be-acquired-through-good-
faith-use/#:~:text=On%2029%20November%202007%2C%20Natrapharm%20filed%20a
%20Trademark,was%20the%20rightful%20owner%20of%20the%20mark
%20%E2%80%9CZYNAPS%E2%80%9D.
https://batasfilipinas.com/zuneca-pharmaceutical-v-natrapharm-inc-g-r-211850-08-september-
2020/#google_vignette

Republic Act No. 8792 - Electronic Commerce Act of 2000

CASE 1:
Trademark Infringement Case: Zuneca Pharmaceutical vs. Natrapharm, Inc
(2007)

On 29 November 2007, Natrapharm filed a Trademark Infringement case against Zuneca, alleging that
“ZYNAPS” is confusingly similar to its registered trademark “ZYNAPSE”. While Zuneca argued that as the
first entity to use the mark in good faith, it was the rightful owner of the mark “ZYNAPS”. Under the
brand name “ZYNAPS,” Zuneca sells carbamazepine, an anti-convulsant used to treat a variety of seizure
disorders, including epilepsy. After obtaining a Certificate of Product Registration from the Bureau of
Food and Drugs in 2003, it has been selling the medicine under the aforementioned mark since 2004.
According to the organization’s president, she was unable to register her trademark since she was unable
to find the time owing to her father’s illness. On the other hand, Natrapharm sells a drug called citicoline
under the trademark “ZYNAPSE” for the treatment of cerebrovascular disease or stroke. The trademark
was registered with the IPOPHL in 2007. Prior to registration, the Vice President used a research tool,
which lists pharmaceutical products in the Philippines, to verify that no other product used the
abovesaid mark. Only after verification was the mark registered. Natrapharm filed a suit for trademark
infringement against Zuneca before the Quezon City Regional Trial Court. The RTC ruled for Natrapharm.
On appeal, the Court of Appeals sustained the RTC. The Supreme Court ruled in the negative. After a
lengthy discussion regarding the legislative history of Intellectual Property Law in the Philippines, the
Supreme Court declared that, under the Intellectual Property Code or R.A. 8293, the mode of acquiring
ownership over trademark is by valid registration of the same with the IPO in accordance with law.

LAWS RELATED:
Republic Act No. 8293, Intellectual Property Code of the Philippines

CRIMINAL CASE COMMITTED :

Republic Act No. 8293, Section 170 – Penalties

REFERENCES:

https://val.law/landmark-decision-ownership-of-trademarks-may-be-acquired-through-good-faith-use/
#:~:text=On%2029%20November%202007%2C%20Natrapharm%20filed%20a%20Trademark,was%20the
%20rightful%20owner%20of%20the%20mark%20%E2%80%9CZYNAPS%E2%80%9D.

https://batasfilipinas.com/zuneca-pharmaceutical-v-natrapharm-inc-g-r-211850-08-september-2020/
#google_vignette

Republic Act No. 9775 - Anti-Child Pornography Act of 2009

CASE 1:
The Cadajas Case
(2021)

In a recent decision, the Supreme Court of the Philippines addressed the admissibility of evidence
obtained from a messaging app account in a criminal case, shedding light on the intersection of privacy
rights and criminal prosecution. The case, Cadajas v. People (2021), involved a man convicted of child
pornography, with photos and messages from his Facebook Messenger account serving as key evidence
against him. The accused argued that the evidence was obtained in violation of his right to privacy and
should be deemed inadmissible. However, the Supreme Court disagreed, delving into the nuances of
privacy law and its application in the digital age. The Court first discussed the right to privacy,
emphasizing that it protects individuals from government intrusions but not necessarily from scrutiny by
private parties. It clarified that in cases involving private parties, laws such as the Civil Code and the Data
Privacy Act of 2012 (DPA) come into play. Regarding the DPA, the Court explained why the processing of
personal data in connection with the case was permissible. It cited two reasons: it related to determining
criminal liability, and it was necessary for the protection of lawful rights in court proceedings. Moreover,
the Court applied the reasonable expectation of privacy test and concluded that there was no privacy
violation. This test considers whether an individual has a reasonable expectation of privacy in a
particular context, and in this case, the Court found that there was none.

LAWS RELATED:

Republic Act No. 10173 - Data Privacy Act of 2012

Republic Act No. 10175 - Cybercrime Prevention Act of 2012

CRIMINAL CASE COMMITTED :

Republic Act No. 10173 - Data Privacy Act of 2012

RA 7610 – Special Protection of Children Against Abuse, Exploitation, and Discrimination Act

REFERENCES:

https://www.ateneo.edu/news/2022/07/11/the-cadajas-case-and-data-privacy

https://sbuthebarrister.com/2022/11/03/christian-cadajas-y-cabias-v-people-of-the-philippines-g-r-no-
247348-november-16-2021/

https://elibrary.judiciary.gov.ph/thebookshelf/showdocs/1/68092