“No data breach happened” in UP Cebu—finding from investigation

| Written by Celeste Ann Castillo Llaneta


“No personal and technical data breach happened.”

This is the finding of the University of the Philippines Cebu Data Protection Officer (DPO) following an investigation in response to reports of an alleged data breach in the local student evaluation on teaching (SET) system, which led to a list of names and SET login credentials of students from the UP Cebu College of Communication, Art and Design being posted on Scribd.com.

In his report to Chancellor Liza D. Corro dated June 9, 2020, UP Cebu DPO Mr. Van Owen M. Sesaldo wrote that the SET, which is used by students to evaluate faculty members handling their courses, is hosted on a local server administered by the UP Cebu Information Technology Center.

“We immediately conducted a technical check on the server and the connected network equipment. We found that there were no indications of compromise, implying that no unauthorized access occurred,” Sesaldo said in his report.

More importantly, he added, the SET does not provide any other personal information to any authenticated user. It only shows the name of the faculty member to be evaluated and empty evaluation forms. Hence, this does not put students mentioned in the list under grave threat.

“In sum, no personal and technical data breach happened,” Sesaldo concluded. “Being enrolled in UP, their names have already been made public even upon passing the UPCAT. As far as the SET login credentials are concerned, these will be replaced in the coming evaluation period.”

The SET is different from the Student Academic Information System (SAIS), which handles the academic and financial data of all UP students, including UP Cebu students. The SAIS is hosted by a server that is managed and maintained by the UP System Information Technology Development Center (UP ITDC).

Upon confirming with the UP ITDC, the DPO for the UP System, Atty. Marcia Ruth Gabriela Fernandez, found that there was no data breach of SAIS or of UP Cebu’s student records.

In a letter to National Privacy Commissioner Raymund E. Liboro and NPC Deputy Commissioners Leandro Angelo Y. Aguirre and John Henry Du Naga dated June 10, 2020, Atty. Fernandez noted that the University has taken additional measures to safeguard the rights of UPCAT applicants by now requiring usernames and passwords to access UPCAT results. Moreover, although having detected no breaches in the University’s databases, the UP System Data Protection Officer has already called on the NPC for help in further safeguarding the privacy and online safety of the members of the UP community.