I. Introduction
Unauthorized system access is one of the core cybercrime offenses recognized under Philippine law. It generally refers to accessing a computer system, network, server, account, application, database, or digital infrastructure without authority, permission, or lawful justification.
In everyday terms, it may involve hacking into someone’s social media account, logging in to a company system without permission, bypassing security controls, using stolen credentials, entering a restricted database, or gaining access to a device or online account even without causing further damage.
In the Philippine legal context, unauthorized system access is primarily governed by the Cybercrime Prevention Act of 2012, officially known as Republic Act No. 10175. It may also overlap with laws on identity theft, data privacy, electronic evidence, fraud, threats, extortion, harassment, child protection, intellectual property, or corporate security depending on what the offender did after gaining access.
This article explains the legal basis, what evidence to prepare, where to file, how the complaint process works, and what remedies may be available.
II. Legal Basis
A. Cybercrime Prevention Act of 2012
The principal law is Republic Act No. 10175, or the Cybercrime Prevention Act of 2012.
Under this law, illegal access is a punishable cybercrime offense. Illegal access generally means access to the whole or any part of a computer system without right.
The phrase “without right” is important. It means that the person had no authority, consent, legal permission, or valid reason to access the system.
A person may be liable even if no money was stolen and even if no data was deleted. The unauthorized access itself may already constitute an offense.
B. Related Cybercrime Offenses
Unauthorized access may be accompanied by other cybercrime offenses, such as:
Illegal interception — intercepting non-public data transmissions without authority.
Data interference — damaging, deleting, deteriorating, altering, or suppressing computer data without right.
System interference — hindering or interfering with the functioning of a computer system.
Misuse of devices — using, producing, selling, obtaining, importing, distributing, or making available devices, programs, passwords, access codes, or similar data intended for committing cybercrime.
Computer-related forgery — inputting, altering, or deleting computer data resulting in inauthentic data with intent that it be considered or acted upon as authentic.
Computer-related fraud — unauthorized input, alteration, or deletion of data or interference with a computer system that causes damage or prejudice.
Computer-related identity theft — acquiring, using, misusing, transferring, possessing, altering, or deleting identifying information belonging to another person.
C. Data Privacy Act
If personal information or sensitive personal information was accessed, copied, exposed, leaked, or misused, the incident may also involve the Data Privacy Act of 2012, or Republic Act No. 10173.
This is especially relevant when the compromised system contains names, addresses, phone numbers, email addresses, government IDs, medical records, financial data, account credentials, employee records, customer records, or other personal data.
Complaints involving personal data breaches may also be brought to the attention of the National Privacy Commission, depending on the facts.
D. Revised Penal Code and Other Laws
Unauthorized access may also be connected to traditional crimes under the Revised Penal Code, such as estafa, unjust vexation, grave threats, coercions, libel, falsification, or malicious mischief, depending on what happened.
For example:
A hacked account used to demand money may involve extortion or fraud.
A hacked account used to post defamatory statements may involve cyberlibel.
A hacked business system used to divert payments may involve estafa or computer-related fraud.
A hacked email used to impersonate an officer of a company may involve identity theft, fraud, or falsification-related offenses.
III. What Counts as Unauthorized System Access?
Unauthorized access can occur in many forms. The following examples may fall within the scope of illegal access or related cybercrime offenses:
A person logs into another person’s email, social media, cloud account, e-wallet, messaging app, or banking account without consent.
A former employee accesses a company system after resignation or termination.
An employee accesses files, records, folders, databases, or systems beyond the scope of their job authority.
A person uses another person’s password without permission.
A person guesses, steals, buys, or obtains login credentials and uses them.
A person bypasses a login screen, security control, firewall, authentication process, or access restriction.
A person exploits a software vulnerability to enter a system.
A person installs malware, spyware, keyloggers, remote access tools, or backdoors.
A person accesses a website administration panel without permission.
A person enters a school, company, government, or organizational database without authority.
A person uses a device that was left open or logged in, knowing that they do not have permission to view or use the account.
A person accesses private files or messages from a shared device beyond what was allowed.
A person continues using an account after permission has been revoked.
The key question is not always whether the person knew the password. The legal question is whether the person had the right or authority to access the system or data.
IV. Elements of an Unauthorized Access Complaint
A complainant should be prepared to show the following:
First, that there was a computer system, account, device, network, database, server, application, or digital platform involved.
Second, that the respondent accessed all or part of that system.
Third, that the access was done without right, meaning without consent, permission, authority, or legal justification.
Fourth, that there is evidence connecting the respondent to the unauthorized access, or at least evidence sufficient to justify investigation.
Fifth, that the incident occurred within Philippine jurisdiction, affected a person or system in the Philippines, involved a Filipino citizen, or otherwise falls within the reach of Philippine cybercrime law.
In some cases, the exact identity of the offender is not yet known. A complaint may still be filed against an unknown person, often referred to as a complaint against “John Doe” or an unidentified person, so that law enforcement may investigate.
V. Where to File a Cybercrime Complaint
A cybercrime complaint for unauthorized system access may generally be filed with the following authorities:
A. Philippine National Police Anti-Cybercrime Group
The PNP Anti-Cybercrime Group investigates cybercrime complaints, including hacking, illegal access, online fraud, identity theft, cyber harassment, and related incidents.
A complainant may go to the appropriate cybercrime office or police station and submit evidence, identification, and a written complaint or affidavit.
B. National Bureau of Investigation Cybercrime Division
The NBI Cybercrime Division also handles cybercrime complaints. It may investigate hacking incidents, compromised accounts, online scams, data breaches, identity theft, extortion, and other cyber-related offenses.
The NBI may require a written complaint, identification documents, screenshots, device information, account details, and other supporting evidence.
C. Office of the Prosecutor
A criminal complaint may also be filed before the appropriate Office of the City Prosecutor or Provincial Prosecutor.
The prosecutor conducts preliminary investigation when the offense requires it. The purpose is to determine whether there is probable cause to charge the respondent in court.
In many cases, complainants first go to the PNP or NBI so that law enforcement can assist with technical investigation. However, direct filing with the prosecutor may be possible if the complainant already has sufficient evidence.
D. Department of Justice Office of Cybercrime
The DOJ Office of Cybercrime has important functions under the Cybercrime Prevention Act, including coordination, policy, and certain cybercrime-related legal processes. Depending on the nature of the case, law enforcement or prosecutors may coordinate with the DOJ Office of Cybercrime.
E. National Privacy Commission
If the incident involves unauthorized access to personal information or a personal data breach, a complaint or report may also be relevant before the National Privacy Commission.
This does not necessarily replace a criminal complaint. A single incident may involve both cybercrime investigation and data privacy proceedings.
VI. Immediate Steps Before Filing
Before filing a complaint, the victim should take practical steps to preserve evidence and reduce further harm.
1. Do Not Delete Evidence
Do not delete messages, emails, logs, notifications, screenshots, access alerts, or suspicious files. Even if the material is upsetting, it may be needed for investigation.
2. Take Screenshots
Capture screenshots showing:
Login alerts.
Password reset notifications.
Unauthorized transactions.
Suspicious messages.
Changed account details.
Unknown devices or sessions.
IP addresses, if visible.
Dates and times.
Email headers, where available.
URLs and usernames.
Error messages or system warnings.
Screenshots should include the full screen when possible, including date, time, URL, sender, and account name.
3. Preserve Original Files
Save emails, logs, documents, invoices, chat exports, system reports, and other digital records in their original format where possible.
For emails, preserve the full email with headers if available. For server incidents, preserve access logs, security logs, firewall logs, authentication records, admin logs, and audit trails.
4. Record a Timeline
Prepare a chronological timeline:
When the account or system was last known secure.
When suspicious activity was first noticed.
What activity occurred.
What accounts, devices, or systems were affected.
What data was viewed, copied, changed, deleted, or exposed.
What remedial steps were taken.
Who had authorized access.
Who may have had motive or opportunity.
5. Secure the Account or System
Change passwords immediately, especially for email accounts connected to password recovery.
Enable multi-factor authentication.
Log out all active sessions.
Revoke unknown devices and third-party app access.
Check recovery email addresses and phone numbers.
Scan devices for malware.
Notify the system administrator or platform provider.
Preserve logs before wiping or reinstalling systems.
6. Avoid Retaliation or Counter-Hacking
Victims should not attempt to hack back, access the suspect’s account, install spyware, or obtain evidence illegally. Doing so may expose the victim to criminal or civil liability.
VII. Evidence Needed for the Complaint
A strong complaint should include both narrative evidence and technical evidence.
A. Personal Identification
Prepare a valid government-issued ID. If filing for a company, bring proof of authority, such as a secretary’s certificate, board resolution, special power of attorney, authorization letter, or company ID, as applicable.
B. Affidavit-Complaint
The affidavit-complaint is the main sworn statement of the complainant. It should explain:
Who the complainant is.
What system, account, or device was accessed.
How the complainant owns, controls, administers, or is authorized over the system.
Why the access was unauthorized.
What happened before, during, and after the incident.
What evidence supports the complaint.
Who is suspected, if known.
What damage or prejudice resulted.
What laws may have been violated.
The affidavit should be clear, factual, chronological, and supported by attachments.
C. Screenshots and Printouts
Screenshots should be printed and attached. They may also be saved digitally.
Each screenshot should be labeled. For example:
“Annex A — Screenshot of unauthorized login alert dated ___.”
“Annex B — Screenshot of changed recovery email.”
“Annex C — Screenshot of unauthorized messages sent from account.”
D. Logs and Technical Records
For corporate, school, or organizational systems, useful records may include:
Server logs.
VPN logs.
Admin panel logs.
Firewall logs.
Authentication logs.
Database access logs.
Endpoint detection reports.
Security information and event management reports.
Cloud access logs.
IP address records.
Device IDs.
MAC addresses, where available.
User agent strings.
Geolocation alerts.
Session records.
File access records.
Change history.
Audit trails.
E. Platform or Service Provider Notices
Attach notices from platforms such as email providers, social media platforms, banks, payment processors, web hosts, cloud providers, or SaaS platforms.
These may show suspicious logins, password changes, recovery changes, security alerts, or unauthorized transactions.
F. Proof of Ownership or Authority
The complainant should prove the right to control the system or account.
Examples:
Account profile details.
Registration records.
Domain ownership records.
Company documents.
Employment records.
Administrative access records.
Service subscription receipts.
Email address ownership.
Business registration documents.
Website hosting contracts.
Internal IT policies.
G. Witness Statements
If other people saw the incident, received unauthorized messages, handled IT response, or can identify the suspect, their affidavits may be useful.
H. Proof of Damage
Although illegal access may be punishable by itself, proof of damage may strengthen the case.
Damage may include:
Financial loss.
Business interruption.
Loss of data.
Exposure of personal information.
Reputational harm.
Unauthorized transactions.
Cost of forensic investigation.
Cost of system restoration.
Loss of clients.
Misuse of confidential information.
Emotional distress, where relevant.
VIII. How to Draft the Affidavit-Complaint
A cybercrime affidavit should be detailed but not speculative. It should separate known facts from suspicions.
A typical structure may include:
1. Identity of the Complainant
State the complainant’s name, age, nationality, address, and capacity to file the complaint.
For a company, identify the representative and authority to file.
2. Description of the System or Account
Describe the affected account or system:
Email account.
Social media account.
Business database.
Website.
Server.
Cloud storage.
Mobile app.
Payment account.
Internal company system.
School portal.
Government-related system.
Explain who owns or controls it.
3. Statement of Authorization
Explain who was authorized to access the system and who was not.
For company systems, attach access policies, employee roles, termination records, access control records, or admin logs where available.
4. Facts of Unauthorized Access
State what happened in chronological order.
Avoid vague statements like “I was hacked” without details. Instead, state what was observed:
“I received an email stating that my password had been changed.”
“The system log showed a login from an unknown IP address.”
“The account sent messages that I did not write.”
“The admin dashboard showed that files were downloaded by a user account assigned to the respondent after his authority had been revoked.”
5. Identification of the Suspect
If the suspect is known, explain why.
Possible bases include:
The access came from an account assigned to the suspect.
The suspect admitted access.
The suspect used information only obtainable from the system.
The suspect threatened to access the system.
The suspect benefited from the access.
The suspect’s device or IP address appears in logs.
The suspect was the only person with the credentials.
The suspect had prior access but authority had been revoked.
Be careful not to overstate. If identity is uncertain, state that the complaint is against an unknown person and request investigation.
6. Acts Done After Access
Describe whether the offender:
Viewed files.
Copied data.
Deleted data.
Changed passwords.
Changed recovery details.
Sent messages.
Transferred money.
Defaced a website.
Installed malware.
Locked users out.
Disclosed private information.
Impersonated the complainant.
Demanded payment.
Used confidential information.
7. Damage or Prejudice
State what harm resulted.
Include financial loss, loss of access, cost of recovery, exposure of personal data, business disruption, reputational injury, or other consequences.
8. Request for Investigation and Prosecution
End by requesting that the appropriate authorities investigate and prosecute the responsible person for illegal access and other applicable offenses.
IX. Filing Procedure Before Law Enforcement
The exact procedure may vary, but a typical process is as follows:
Step 1: Prepare the Complaint Packet
The packet should include:
Affidavit-complaint.
Valid ID.
Evidence annexes.
Digital copies of evidence.
Proof of ownership or authority.
Technical logs, if available.
Witness affidavits, if any.
Company authorization documents, if applicable.
Step 2: Go to the Appropriate Cybercrime Office
The complainant may approach the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or another appropriate law enforcement office.
Step 3: Intake and Initial Assessment
The investigator may ask questions about:
What happened.
When it happened.
What system was affected.
What evidence exists.
Whether the suspect is known.
Whether urgent preservation is needed.
Whether the case involves ongoing harm.
Step 4: Submission of Evidence
The complainant may be asked to provide printed and digital copies.
Digital evidence should be preserved carefully. Avoid altering metadata when possible.
Step 5: Forensic Examination
If a device is involved, law enforcement may request access to it for forensic examination. This may include a phone, laptop, server, hard drive, USB drive, or other storage media.
The complainant should ask about documentation of turnover, chain of custody, and return of the device.
Step 6: Investigation
Law enforcement may investigate by:
Reviewing logs.
Examining devices.
Sending preservation requests.
Coordinating with service providers.
Tracing IP addresses.
Interviewing witnesses.
Identifying account owners.
Preparing reports.
Recommending filing of charges.
Step 7: Referral to Prosecutor
If law enforcement finds sufficient basis, the matter may be referred to the prosecutor for preliminary investigation.
X. Filing Before the Prosecutor
A criminal complaint before the prosecutor usually requires a sworn complaint and supporting affidavits and documents.
The prosecutor may issue subpoenas to the respondent and require counter-affidavits.
The process generally includes:
Filing of complaint-affidavit.
Issuance of subpoena.
Submission of counter-affidavit by respondent.
Submission of reply-affidavit by complainant, where allowed.
Evaluation of probable cause.
Resolution by prosecutor.
If probable cause is found, an information may be filed in court. If not, the complaint may be dismissed, subject to available remedies such as motion for reconsideration or appeal, depending on the rules and circumstances.
XI. Preservation of Computer Data
In cybercrime cases, electronic evidence can disappear quickly. Logs may be overwritten, accounts may be deleted, and platforms may retain data only for limited periods.
The Cybercrime Prevention Act includes mechanisms for preservation of computer data. Law enforcement authorities may require preservation of traffic data, subscriber information, or other relevant data in accordance with the law.
Victims should file promptly because delay may result in loss of crucial evidence.
Important data to preserve includes:
Subscriber information.
Login records.
Traffic data.
IP addresses.
Timestamps.
Device information.
Account recovery history.
Message records.
Transaction logs.
Cloud access logs.
Administrative activity logs.
XII. Search, Seizure, and Disclosure of Computer Data
Cybercrime investigations may involve court processes and legal orders for search, seizure, examination, preservation, or disclosure of computer data.
Authorities generally need to follow constitutional and statutory requirements, especially where privacy rights, communications, devices, and stored data are involved.
A complainant cannot simply demand that a platform, telecom company, internet service provider, or bank release private records without proper legal process.
This is one reason why filing with the proper authorities is important. Investigators and prosecutors can determine what legal process is needed.
XIII. Jurisdiction and Venue
Cybercrime cases may involve multiple locations. The complainant may be in one city, the suspect in another, the server in another country, and the platform provider abroad.
Philippine cybercrime law may apply where:
The offender is in the Philippines.
The victim is in the Philippines.
The affected system is in the Philippines.
The damaging effects occurred in the Philippines.
The act was committed using infrastructure connected to the Philippines.
A Filipino citizen is involved, depending on the circumstances.
Venue can be legally complex in cybercrime cases. Prosecutors and investigators may determine the proper place of filing based on where the offense was committed, where its effects were felt, where the complainant resides, where the system is located, or where relevant acts occurred, subject to procedural rules.
XIV. Complaints Involving Companies and Employees
Unauthorized access often arises in employment or business settings.
Examples include:
A resigned employee continues accessing company email.
An employee copies customer data before leaving.
A contractor retains admin credentials after project completion.
A staff member accesses payroll, HR, medical, or customer records without authority.
A former IT administrator changes passwords or locks out the company.
A competitor receives data taken from a company system.
In these cases, the company should collect:
Employment contracts.
Confidentiality agreements.
IT policies.
Access control policies.
Acceptable use policies.
Termination letters.
Revocation notices.
System access logs.
Asset turnover forms.
Email correspondence.
Admin records.
Internal investigation reports.
Board or management authorization to file the complaint.
The company should also immediately disable accounts, rotate credentials, review access privileges, and preserve logs.
XV. Complaints Involving Personal Accounts
For personal accounts, such as Facebook, Gmail, Instagram, TikTok, Apple ID, Google account, cloud storage, e-wallet, or online banking, the complainant should gather:
Security alerts.
Password reset emails.
Login history.
Unknown device records.
Screenshots of unauthorized activity.
Messages sent by the hacker.
Transactions made.
Recovery email or phone changes.
Identity verification attempts.
Platform support tickets.
Proof that the complainant owns the account.
The complainant should also report the incident to the platform and use account recovery tools. Platform reports are not substitutes for legal complaints, but they may help preserve records and regain access.
XVI. Complaints Involving Banks, E-Wallets, and Online Payments
If unauthorized access led to fund transfers, purchases, loans, withdrawals, or wallet transactions, the complainant should immediately:
Notify the bank or e-wallet provider.
Request freezing or reversal where possible.
File a formal dispute.
Secure the account.
Preserve transaction records.
Obtain reference numbers.
Screenshot transaction history.
Request written confirmation from the provider.
File a cybercrime complaint if unauthorized access or identity theft is involved.
Depending on the facts, the case may involve computer-related fraud, identity theft, illegal access, or other offenses.
XVII. Complaints Involving Data Breaches
A data breach may occur when unauthorized access results in exposure, copying, alteration, destruction, or disclosure of personal information.
For organizations handling personal data, additional obligations may arise under the Data Privacy Act and related issuances.
A personal information controller or processor may need to evaluate:
What personal data was accessed.
Whether sensitive personal information was involved.
How many data subjects were affected.
Whether there is likely risk of harm.
Whether notification to the National Privacy Commission is required.
Whether affected individuals must be notified.
What security measures failed.
What remedial actions were taken.
A cybercrime complaint may proceed separately from data privacy compliance obligations.
XVIII. Cybercrime Complaint Against an Unknown Hacker
It is not always possible to identify the offender immediately. The complainant may still file a complaint against an unknown person.
The complaint should include:
Description of the incident.
Affected system.
Evidence of unauthorized access.
Available logs or screenshots.
Possible leads.
Request for technical investigation.
The purpose is to allow law enforcement to trace, preserve, and request relevant data through proper channels.
XIX. Role of Electronic Evidence
Cybercrime complaints rely heavily on electronic evidence.
Under Philippine rules on electronic evidence, electronic documents, digital signatures, emails, text messages, logs, screenshots, and other digital records may be admissible if properly authenticated and relevant.
Important issues include:
Authenticity.
Integrity.
Reliability.
Chain of custody.
Source of the data.
Manner of collection.
Whether the evidence was altered.
Whether the person presenting it can explain it.
Forensic handling is especially important in cases involving devices, malware, deleted files, or server logs.
Screenshots are useful, but screenshots alone may be challenged. Whenever possible, preserve the original digital source.
XX. Chain of Custody
Chain of custody refers to the documented handling of evidence from collection to presentation.
For digital evidence, this may include:
Who collected the evidence.
When it was collected.
How it was collected.
Where it was stored.
Who accessed it.
Whether it was copied or imaged.
Whether hash values were generated.
How integrity was maintained.
Poor chain of custody may weaken a case, especially if the defense claims tampering, fabrication, or alteration.
XXI. Common Mistakes by Complainants
Complainants often weaken their cases by making avoidable mistakes.
Common errors include:
Deleting messages or logs.
Failing to screenshot security alerts.
Waiting too long before filing.
Resetting or wiping devices before preserving evidence.
Posting accusations online without proof.
Confronting the suspect prematurely.
Trying to hack back.
Failing to document account ownership.
Submitting disorganized evidence.
Making conclusions without factual basis.
Not preserving original files.
Relying only on speculation.
Ignoring related bank, platform, or data privacy reporting requirements.
A complaint should be factual, organized, and supported by evidence.
XXII. Possible Defenses
A respondent may raise several defenses, including:
Consent was given.
The respondent had authority to access the system.
The account was shared.
The access was accidental.
The complainant cannot prove that access occurred.
The complainant cannot prove that the respondent was the person who accessed the system.
The logs are unreliable.
The screenshots are fabricated or incomplete.
The alleged access was within the respondent’s job duties.
The credentials were still valid and not revoked.
The system owner failed to define access restrictions.
Another person used the respondent’s device or account.
The complaint is malicious or retaliatory.
Because of these possible defenses, clear proof of lack of authority and reliable technical evidence are important.
XXIII. Penalties
Penalties under the Cybercrime Prevention Act may include imprisonment and fines, depending on the specific offense and circumstances.
The law generally imposes penalties based on the offense committed, and cybercrime penalties may be higher than their traditional counterparts in certain situations.
Where the offense is committed against critical infrastructure, penalties may be more severe.
The exact penalty depends on the charged offense, the applicable statutory provision, aggravating circumstances, and the court’s findings.
XXIV. Civil Remedies
A cybercrime incident may also give rise to civil liability.
Possible civil claims may include:
Actual damages.
Moral damages.
Exemplary damages.
Attorney’s fees.
Litigation expenses.
Restitution.
Recovery of misappropriated funds.
Injunction or other relief, depending on the case.
Civil liability may be pursued as part of the criminal case or through a separate civil action, subject to procedural rules.
XXV. Administrative and Regulatory Remedies
Depending on the parties involved, other remedies may exist.
For employees, unauthorized access may justify disciplinary action, termination, or administrative proceedings.
For professionals, it may lead to professional discipline.
For banks, e-wallet providers, telecoms, schools, hospitals, and businesses handling personal data, regulatory reporting or complaints may be relevant.
For government employees, administrative liability may arise.
For data privacy violations, the National Privacy Commission may have jurisdiction over certain complaints or investigations.
XXVI. Template Outline for a Cybercrime Complaint-Affidavit
Below is a practical outline:
Republic of the Philippines City/Province of ________ Office of the City/Provincial Prosecutor or PNP Anti-Cybercrime Group / NBI Cybercrime Division
Complaint-Affidavit
I, [name], of legal age, [civil status], Filipino, and residing at [address], after being duly sworn, state:
I am the complainant in this case.
I am the owner, administrator, authorized user, or representative of [describe account/system/company].
This complaint concerns the unauthorized access of [describe account/system/device/network/database].
On or about [date and time], I discovered that [state what happened].
I did not authorize [name of respondent, if known] or any other person to access the said account/system.
The unauthorized access is shown by the following facts: [summarize evidence].
Attached as Annexes are the following:
- Annex A — [description].
- Annex B — [description].
- Annex C — [description].
After the unauthorized access, the following acts occurred: [data copied, password changed, messages sent, money transferred, files deleted, etc.].
As a result, I suffered [state damage or prejudice].
I respectfully request that the proper authorities investigate and prosecute the person responsible for illegal access and other applicable offenses under Republic Act No. 10175 and other relevant laws.
IN WITNESS WHEREOF, I have signed this affidavit on [date] at [place].
[Signature] [Name]
Subscribed and sworn to before me this ___ day of ______ at ______.
XXVII. Checklist Before Filing
A complainant should prepare the following:
Valid ID.
Complaint-affidavit.
Screenshots.
Original emails or message exports.
Login alerts.
System logs.
Device information.
Account ownership proof.
Proof of lack of authorization.
Timeline of events.
Witness affidavits.
Company authorization, if filing for an organization.
Bank or e-wallet reports, if financial accounts were affected.
Platform support tickets or reports.
Data breach assessment, if personal data was involved.
Digital copies of all evidence.
Printed annexes arranged and labeled.
XXVIII. Special Considerations for Businesses
Businesses should treat unauthorized access as both a legal and cybersecurity incident.
A company should consider:
Activating its incident response plan.
Preserving logs.
Isolating affected systems.
Disabling compromised accounts.
Resetting passwords.
Rotating API keys and tokens.
Reviewing administrator privileges.
Checking for malware or backdoors.
Conducting forensic investigation.
Notifying affected clients or data subjects where required.
Assessing Data Privacy Act obligations.
Preparing a management-approved complaint.
Coordinating with counsel, IT, and law enforcement.
Businesses should avoid rushing into public accusations before technical findings are verified.
XXIX. Special Considerations for Schools, Clinics, and Small Organizations
Schools, clinics, churches, nonprofits, and small businesses often have weaker access controls. Unauthorized access cases may involve shared passwords, former staff, unpaid contractors, or informal IT arrangements.
These organizations should gather:
Proof of account ownership.
List of authorized users.
Password change history.
Communications with the suspected person.
System logs.
Service provider records.
Evidence of access revocation.
Evidence of damage or misuse.
They should also improve controls after the incident by assigning individual accounts, enabling multi-factor authentication, and removing shared credentials.
XXX. Unauthorized Access by a Former Partner, Spouse, or Family Member
Unauthorized access may also occur in personal relationships.
Examples include:
An ex-partner opening email or social media accounts.
A spouse accessing private messages without consent.
A relative using saved passwords to enter an account.
A former partner using shared devices to monitor activity.
A person installing spyware on a phone.
The fact that the parties had a relationship does not automatically authorize access. However, cases involving shared devices, shared passwords, or prior consent may be factually complex.
Evidence should show that the access exceeded permission or continued after permission was withdrawn.
XXXI. Unauthorized Access Using Shared Passwords
Many disputes arise because a password was previously shared.
The legal issue is whether the access was still authorized at the time it occurred.
A person who once had permission may later lose that permission. For example:
An employee’s authority ends after resignation.
A contractor’s authority ends after project completion.
A partner’s authority ends after separation or express revocation.
An administrator’s authority ends after removal.
To strengthen the complaint, show when and how authority was revoked.
Useful evidence includes:
Termination letters.
Revocation notices.
Password reset records.
Messages saying access is no longer allowed.
Company policy.
Role changes.
Admin access removal records.
XXXII. Unauthorized Access Without Further Damage
A common misconception is that cybercrime exists only if data was stolen or money was lost. Under cybercrime law, unauthorized access itself may be punishable.
However, proving damage may affect the seriousness of the case, related charges, civil remedies, and investigative priority.
Even if no visible damage occurred, the complainant should still preserve logs and report promptly.
XXXIII. Unauthorized Access and Ethical Hacking
Ethical hacking, penetration testing, vulnerability research, and security audits require clear authorization.
A person who scans, probes, tests, or enters a system without permission may face liability even if they claim they intended to help.
Organizations should issue written authorization for penetration testing, defining:
Scope.
Dates.
Systems covered.
Permitted techniques.
Prohibited actions.
Reporting procedure.
Confidentiality.
Emergency contacts.
Without clear authorization, “security testing” may be treated as illegal access.
XXXIV. Practical Evidence Annex List
A well-organized annex list may look like this:
Annex A — Copy of complainant’s valid ID.
Annex B — Proof of ownership of affected account.
Annex C — Screenshot of unauthorized login alert.
Annex D — Screenshot of unknown device logged into account.
Annex E — Screenshot of password change notification.
Annex F — Screenshot of unauthorized messages sent.
Annex G — Copy of email headers.
Annex H — System access logs.
Annex I — Timeline of incident.
Annex J — Platform support ticket.
Annex K — Bank or e-wallet transaction record.
Annex L — Witness affidavit.
Annex M — Company authorization to file complaint.
Annex N — Internal IT report.
Annex O — Data breach assessment.
XXXV. Practical Tips for Presenting the Complaint
Use plain language.
Arrange events chronologically.
Label every attachment.
Avoid exaggeration.
Separate facts from suspicions.
Identify the exact account or system.
Explain why access was unauthorized.
Show how the respondent is connected, if known.
Include dates, times, usernames, URLs, and IP addresses.
Bring both printed and digital copies.
Keep backup copies of everything submitted.
Ask for receiving copies, reference numbers, or acknowledgment.
XXXVI. Conclusion
Filing a cybercrime complaint for unauthorized system access in the Philippines requires more than saying that an account or system was hacked. The complainant should be able to explain what was accessed, why the access was unauthorized, when it happened, what evidence supports the complaint, and what harm resulted.
The primary law is the Cybercrime Prevention Act of 2012, but related issues may arise under the Data Privacy Act, the Revised Penal Code, banking rules, employment law, corporate law, and other regulations.
The strongest complaints are prompt, factual, well-documented, and supported by preserved digital evidence. For serious incidents, especially those involving companies, financial accounts, personal data, or unknown technical actors, early coordination with law enforcement, IT professionals, and legal counsel is often essential.