Republic of the Philippines

NATIONAL PRIVACY COMMISSION

IN RE: LAND TRANSPORTATION

OFFICE (LTO) DATA BREACH
NPCBN No. 20-205
Initiated as an Independent NPC
(Formerly CIDBN No. 20-205)
Investigation into the Possible Data Privacy
Violations committed by LTO.
x-------------------------------------------------------x

ORDER
(To Submit Additional Documents and Information)

In accordance with (i) Section 1 of Rule VII of the 2021 NPC Rules of Procedure which
states that “[t]he investigating officer shall not be limited to the pleadings, allegations, issues and
evidence submitted before him or her. x x x In the course of the investigation, the complainant
and/or respondent may be required to furnish additional information, document or evidence, or
to produce additional witnesses;” (ii) Section 4, Rule X, of the 2021 NPC Rules of Procedure which
authorizes the Commission to require parties subject of an investigation to furnish additional
information, document, or evidence; and (iii) Section 9 (e) (2) of Rule III of the Implementing
Rules and Regulations for the Data Privacy Act which authorizes the Commission to require the
production of evidence through a subpoena, the following information and documents are
required from the Land Transportation Office (“LTO”):1

1. Contract between LTO and StradCom Corporation (“StradCom”), including the Terms of
Reference, Technical Specifications, Bid Data Sheet, Schedule of Requirements, and other
bidding documents identifying the details of the goods or service procured from
StradCom;

2. Updates on the contract or project with StradCom, including whether or not the system
involved is still used and the name of the party operating or managing the system at
present, if any;

3. Copies of Vulnerability Assessment and Penetration Testing (VAPT) reports conducted

prior to launching of the system and website, as well as VAPT reports closest to the
incident in question, if any;

4. Copies of Privacy Impact Assessments (PIA) conducted prior to launching of the system
and website, as well as PIA closest to the incident in question, if any;

5. Proof of implementation of existing security measures, such as (i) firewall, (ii) Intrusion
Prevention System, (iii) Secure Socket Layer, (iv) Completely Automated Public Turing
Testo To Tell Computers and Humans Apart, (v) security enhancements to web
application system, (vi) addition of IT security protocols as part of the organizational
procedures, (vii) results of monitoring the internet for similar sites.2

1
While the complaint was filed prior to the effectivity of the 2021 NPC Rules of Procedure, Section 1 of Rule XII of the
2021 NPC Rules of Procedure states that “[t]hese Rules shall apply to all complaints filed after its effectivity. It shall
also apply to pending proceedings, except to the extent that their application would not be feasible or would work
injustice.”
2 Please see Breach Report for LTO attached as Annex “D” to Letter dated 7 July 2021 from LTO.

Ref No.: CID-22-1091 NPC_LEO_CID_ORD-V1.0,R0.0,05 May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 Page 2 of 2

6. Proof of implementation of measures taken to prevent recurrence of the incident,

including proof of implementation of (i) anti-forgery feature of ASP.NET, (ii) session key
validation to verify user authorization in accessing web pages or data, (iii) encryption of
data results so that the same will only be readable to the authorized user and application.3

7. Other organizational, physical, and technical measures existing prior to the incident and
carried out by LTO and its third party personal information processors to secure LTO’s
system and websites, including LTO.net.ph. These should be supported by
documentation (such as orders, policies, manuals, and other proof that the measures were
duly issued by the LTO or its personal information processor) and proof of
implementation of the said measures; and

8. Copy of the LTO’s Security Incident Management Policy and Data Breach Response Team,
including supporting documentation and proof of implementation.

9. Updates on the investigation conducted in relation to the submitted breach notification

report, and measures conducted to address and/or prevent its recurrence.

10. Proof of notification made to the affected data subjects.

LTO is hereby given a period of fifteen (15) days from receipt hereof to comply with this
order. Documents may be sent to complaints@privacy.gov.ph.

SO ORDERED.

Pasay City, 15 March 2022.

For the National Privacy Commission:

Canlas Walden Digitally signed by Canlas
Walden Federick
Federick Ramoneda
Date: 2022.03.15 16:43:03
Ramoneda +08'00'
WALDEN FEDERICK R. CANLAS
Investigating Officer

Approved by:

Santos Michael Digitally signed by Santos

Michael Reyes

Reyes Date: 2022.03.15 18:31:49

+08'00'

ATTY. MICHAEL R. SANTOS, MPA

Chief, Complaints and Investigation Division
cc:

LAND TRANSPORTATION OFFICE

East Avenue, Quezon City
ltomailbox@lto.gov.ph; oedlto2016@gmail.com;
rgveracruz@yahoo.com

GENERAL RECORDS UNIT

National Privacy Commission
CID/sat

3Ibid.
Ref No.: CID-22-1091 NPC_LEO_CID_ORD-V1.0,R0.0,05 May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228