Rosales, Mikole Ken V.

1. Malware

A school computer containing no confidential information was hooked to the network containing
the personal information of over 15,000 students. This computer was breached with malware
designed to steal sensitive data. Names, addresses, phone numbers, dates of birth and Social
Security numbers were all part of the database that was potentially exposed to this malware. It is
uncertain if any of this information was accessed, but the malware was found to have been on the
breached computer for approximately five years.

a) What should be the very first course of action?

Despite any incidents, the very first course of action to take is to report about the attack.

b) Should the public be informed about the situation? If so, how will their trust be regained?
With regards to the scenario it is already stated the malware was already breaching the
system for five years. So, it is highly suggested to inform the public about the incident since
it involves important and confidential student data to regain the trust of the public.

c) What steps should be taken to prevent similar attacks in the future?

To prevent these incidents from happening in the future, it is essential to secure the main
system itself by installing credited and reliable anti-virus software. Also avoid downloading
suspicious software that may harm the system and can compromise sensitive data of the
public.

d) What are the ethical issues of this situation?

The ethical issues involved in this situation is that personal data shall be kept secure and is
to be shared to other PICs only if there is a DSA.

e) How should students be dealt with if they were the people initiating the attack?
If it were students of legal age, then they shall be held accountable and is to be jailed for
unauthorized use of other’s sensitive personal information or pay the said fine under
categories of the DPA sections. If the student is of minority, the student shall still face
consequences in a juvenile prison.
2. Breached Password - Shoulder surfing

A former student “shoulder surfed” (physically observed) the password of an employee while still in high school.
After graduating, he used this information to get into the district’s student information system. From there, he
gained access to a different district’s payroll data including birth dates, social security numbers, and bank account
information of 5000 current and former employees. This information was then used for identity theft purposes
including requesting and using credit cards, creating checks and altering bank account information. The
perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000
the district gave all of the affected employees fraud prevention and resolution services. According to the district
superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of
hours were spent investigating the extent of the compromised data and developing the plans and procedures to
protect staff from further exposure to fraud.... answering employee questions and preparing internal and external
communications. It is impossible to measure lost productivity as employees worried about their financial security
and work to change bank account and payroll information."

a) What should be the very first course of action?

The essential first step in dealing with data security is to ensure and take password
security seriously. Choosing a great password and not posting it on your personal
computer as well as making sure no one is looking when you are inputting your
password.

b) Should the public be informed about the situation? If so, how will their trust be regained?
Yes, the public should be informed so that they will be aware of the situation and can
do the first course of action mentioned earlier. And so that the public can update their
accounts to make it more secure.

c) What steps should be taken to prevent similar attacks in the future?

To prevent these type of incidents from happening in the future, like what I have
mentioned in letter A, one should start with the very first important course of action
and to assess one’s password if it is strong enough or not. Also, keeping devices under
lock and key when not in use and using password management is an important aspect
to prevent these types of incidents.

d) What are the ethical issues of this situation?

Still personal data shall be kept secure, personal data shall be processed in accordance
with the rights of data subjects and should be processed only for specified, lawful, and
compatible purposes.

e) How should students be dealt with if they were the people initiating the attack?
Students shall be held accountable and shall deal with the potential penalties listed in
the data privacy act. Under DPA section 28, Unauthorized purposes, jail term is
approximately 2-7 years since the data is sensitive or the student can pay and estimated
value of 500,000 to 2,000,000 pesos. The student also managed to commit DPA section
29, Intentional breach which potentially has a jail term of 1-3 years and a fine of 500,000
to 2,000,000 pesos.