How to File a Police Cybercrime Complaint for System and Data Breach

I. Introduction

A system and data breach is not merely a technical incident. In the Philippines, it may give rise to criminal, civil, administrative, contractual, employment, regulatory, and data privacy consequences. When an unauthorized person accesses a computer system, copies files, exfiltrates personal data, alters credentials, defaces a website, installs malware, disrupts services, or uses stolen data for fraud, the incident may fall under Philippine cybercrime laws and related statutes.

For victims, the first legal question is usually practical: where and how should a cybercrime complaint be filed? The answer depends on the nature of the breach, the identity of the victim, the type of data compromised, the available evidence, and whether the complainant is an individual, company, school, government office, or organization.

This article explains, in the Philippine context, how to prepare and file a police cybercrime complaint for a system and data breach, what laws may apply, what evidence should be preserved, what agencies may be involved, and what legal steps commonly follow.

II. What Is a System and Data Breach?

A system breach generally refers to unauthorized access to, interference with, or misuse of a computer system, server, account, network, cloud platform, database, website, application, device, or information infrastructure.

A data breach generally refers to unauthorized access, disclosure, acquisition, copying, alteration, destruction, loss, or misuse of data. In many cases, the data involved includes personal information, sensitive personal information, business records, trade secrets, credentials, financial information, communications, or government data.

Examples include:

  1. Unauthorized login to an email, social media, database, server, or admin panel.
  2. Hacking of a website, web application, cloud account, or internal network.
  3. Ransomware infection or malware deployment.
  4. Theft of customer records, employee files, or confidential documents.
  5. Exfiltration of databases containing names, addresses, IDs, passwords, payment details, or medical records.
  6. Unauthorized disclosure of screenshots, private messages, documents, or internal files.
  7. Credential stuffing, phishing, SIM-related account takeover, or social engineering leading to unauthorized system access.
  8. Defacement of a website or unauthorized changes to files.
  9. Insider misuse of company systems.
  10. Destruction, deletion, encryption, or alteration of records.
  11. Use of stolen data for fraud, blackmail, identity theft, extortion, or impersonation.

A single incident may involve several legal violations at once.

III. Principal Philippine Laws That May Apply

A. Cybercrime Prevention Act of 2012

The main law is Republic Act No. 10175, known as the Cybercrime Prevention Act of 2012. It penalizes several cyber-related offenses, including acts that directly apply to system and data breaches.

Commonly relevant offenses include:

1. Illegal Access

This covers unauthorized access to the whole or any part of a computer system. In ordinary language, this is “hacking” or entering a system without permission.

Examples:

  • Logging in using stolen credentials.
  • Bypassing authentication.
  • Accessing an admin panel without authority.
  • Entering a server, database, or account beyond one’s permission.

2. Illegal Interception

This involves unauthorized interception of computer data, communications, or transmissions. It may apply where the offender captures, monitors, records, or obtains data in transit without authority.

Examples:

  • Intercepting emails or messages.
  • Capturing network traffic.
  • Sniffing credentials.
  • Monitoring private digital communications without permission.

3. Data Interference

This concerns unauthorized alteration, damaging, deletion, deterioration, or suppression of computer data.

Examples:

  • Deleting database records.
  • Modifying logs or files.
  • Encrypting data through ransomware.
  • Corrupting or destroying stored information.

4. System Interference

This involves serious hindering or interference with the functioning of a computer or computer network.

Examples:

  • Distributed denial-of-service attacks.
  • Disabling servers.
  • Crashing systems.
  • Deploying malware that prevents normal business operations.

5. Misuse of Devices

This may apply to the production, sale, procurement, importation, distribution, or possession of devices, programs, passwords, access codes, or similar data primarily designed or adapted for committing cybercrime.

Examples:

  • Selling stolen passwords.
  • Distributing malware tools.
  • Possessing access credentials for unauthorized intrusion.

6. Computer-Related Forgery

This may involve inputting, altering, or deleting computer data resulting in inauthentic data, with intent that it be considered or acted upon as authentic.

Examples:

  • Creating fake digital records.
  • Altering system entries to make them appear legitimate.
  • Manipulating electronic documents or logs.

7. Computer-Related Fraud

This involves unauthorized input, alteration, or deletion of computer data or interference with a computer system causing damage or fraudulent benefit.

Examples:

  • Unauthorized bank or wallet transfers.
  • Manipulation of online accounts to obtain money.
  • Use of compromised systems to defraud customers.

8. Computer-Related Identity Theft

This applies when identifying information belonging to another person is intentionally acquired, used, misused, transferred, possessed, altered, or deleted without right.

Examples:

  • Using stolen personal information to open accounts.
  • Taking over a person’s online identity.
  • Using breached records to impersonate someone.

9. Cyber Libel or Other Content-Related Offenses

Where stolen or unlawfully obtained data is published with defamatory content, cyber libel may also be alleged. However, cyber libel is distinct from the breach itself and requires separate legal analysis.

B. Data Privacy Act of 2012

The Data Privacy Act of 2012, or Republic Act No. 10173, may apply when the breach involves personal information or sensitive personal information.

This law regulates the processing of personal data and imposes obligations on personal information controllers and processors. In a breach involving personal data, there may be duties to:

  1. Investigate the breach.
  2. Contain the incident.
  3. Assess risks to affected data subjects.
  4. Notify the National Privacy Commission when legally required.
  5. Notify affected data subjects when legally required.
  6. Implement remedial and security measures.
  7. Preserve documentation and incident reports.

The Data Privacy Act may also provide criminal penalties for certain unlawful processing, unauthorized access, improper disclosure, malicious disclosure, concealment of security breaches involving sensitive personal information, and related violations.

A police cybercrime complaint and a data privacy breach report are not always the same thing. A victim may need to file with law enforcement while also addressing National Privacy Commission obligations.

C. Revised Penal Code

Some acts connected with a system or data breach may also fall under the Revised Penal Code, depending on the facts.

Possible related offenses include:

  1. Estafa or swindling.
  2. Theft, including theft of property or value obtained through digital means.
  3. Malicious mischief.
  4. Falsification.
  5. Grave coercion or threats.
  6. Unjust vexation.
  7. Libel, where applicable.
  8. Qualified theft, especially in employment or fiduciary contexts.

Cybercrime laws may increase penalties where traditional crimes are committed through information and communications technology.

D. Access Devices Regulation Act

The Access Devices Regulation Act, or Republic Act No. 8484, may apply where the breach involves credit cards, debit cards, account numbers, access devices, online banking credentials, payment accounts, or similar instruments.

This is relevant where compromised data is used for unauthorized transactions, financial fraud, or payment-related offenses.

E. E-Commerce Act

The Electronic Commerce Act, or Republic Act No. 8792, may be relevant where electronic documents, electronic signatures, digital records, or electronic transactions are involved.

It may matter in proving the authenticity, admissibility, or legal effect of digital records.

F. Special Laws for Particular Sectors

Depending on the victim and data involved, other rules may apply.

Examples:

  1. Banking and financial regulations.
  2. Insurance regulations.
  3. Telecommunications rules.
  4. Government information security rules.
  5. Health data rules.
  6. Education records policies.
  7. Employment and labor rules.
  8. Consumer protection laws.
  9. Intellectual property laws.
  10. Contractual confidentiality obligations.

A breach in a bank, fintech company, hospital, school, law firm, BPO, government office, or online platform may trigger sector-specific duties beyond the criminal complaint.

IV. Which Agency Should Receive the Complaint?

In the Philippines, cybercrime complaints may commonly be brought to specialized police or investigative units.

A. Philippine National Police Anti-Cybercrime Group

The PNP Anti-Cybercrime Group, commonly called PNP-ACG, is a principal law enforcement unit handling cybercrime complaints. It investigates cybercrime offenses, receives complaints, assists in digital evidence handling, and may coordinate with prosecutors and other agencies.

A complainant may approach the PNP-ACG national office or an appropriate regional cybercrime unit, depending on availability and location.

B. National Bureau of Investigation Cybercrime Division

The National Bureau of Investigation Cybercrime Division, or NBI-CCD, also handles cybercrime complaints. It is often approached for hacking, online fraud, identity theft, extortion, unauthorized access, online threats, and other cyber incidents.

Both the PNP and NBI may investigate cybercrime complaints. In practice, complainants often choose one agency to avoid duplication, though there may be situations where coordination among agencies becomes necessary.

C. Prosecutor’s Office

A criminal complaint may ultimately proceed to the Office of the City Prosecutor, Provincial Prosecutor, or Department of Justice, depending on the offense, location, and procedural posture. Law enforcement may assist in preparing the complaint, but the prosecutor determines whether probable cause exists for filing a criminal case in court.

D. National Privacy Commission

If the incident involves personal data, the National Privacy Commission may be relevant. The NPC is not primarily a police agency, but it handles privacy-related complaints, compliance matters, breach notifications, and enforcement under the Data Privacy Act.

A complainant may need to pursue two tracks:

  1. A criminal cybercrime complaint with PNP-ACG or NBI-CCD.
  2. A data privacy complaint or breach notification process with the NPC, when applicable.

V. Who May File the Complaint?

A complaint may generally be filed by:

  1. The individual whose account, data, or identity was compromised.
  2. A company whose systems or data were breached.
  3. A government agency whose system was attacked.
  4. An authorized representative of the victim.
  5. A data protection officer, compliance officer, IT head, corporate officer, or lawyer acting for an organization.
  6. A parent or guardian for a minor, where applicable.
  7. A person authorized by board resolution, secretary’s certificate, special power of attorney, or similar document.

For corporations and organizations, law enforcement will usually require proof that the person appearing has authority to act for the entity.

Common authority documents include:

  • Secretary’s certificate.
  • Board resolution.
  • Notarized authorization letter.
  • Special power of attorney.
  • Company ID.
  • Government-issued ID of the representative.
  • Data protection officer designation, where relevant.
  • Employment certificate or appointment document.

VI. Immediate Steps Before Filing

A system and data breach complaint should not be filed casually or without preparation. Cybercrime investigations depend heavily on evidence preservation.

A. Do Not Destroy or Overwrite Evidence

Avoid deleting files, formatting devices, wiping logs, reinstalling systems, or resetting everything before evidence is preserved. These actions may destroy valuable proof.

However, containment may still be necessary to stop ongoing harm. The proper balance is:

  1. Preserve evidence.
  2. Contain the breach.
  3. Document every action.
  4. Avoid unnecessary alteration of affected systems.

B. Preserve Logs

Logs are often critical. Preserve:

  • Server logs.
  • Web application logs.
  • Firewall logs.
  • VPN logs.
  • Authentication logs.
  • Database logs.
  • Cloud access logs.
  • Email logs.
  • Endpoint detection logs.
  • SIEM logs.
  • Router logs.
  • Admin panel logs.
  • Payment gateway logs.
  • API logs.
  • System event logs.

Logs should be exported in a manner that preserves timestamps, source IP addresses, usernames, user agents, request paths, session IDs, error codes, and authentication events.

C. Take Screenshots Properly

Screenshots may help, but they should be complete and contextual. Capture:

  1. Full screen, not cropped portions only.
  2. URL bar, date, and time where possible.
  3. Account name or system identifier.
  4. Error messages.
  5. Unauthorized transactions.
  6. Defaced pages.
  7. Suspicious emails or messages.
  8. Login alerts.
  9. Ransom notes.
  10. File changes or deletion notices.

Screenshots alone are often insufficient, but they are useful supporting evidence.

D. Save Original Emails and Headers

For phishing, account takeover, extortion, or malicious communications, preserve the original email and full headers. Do not merely print the email body.

Important items include:

  • Sender address.
  • Reply-to address.
  • Return path.
  • Message ID.
  • Received headers.
  • Timestamp.
  • Attachments.
  • Links.
  • IP address references.
  • Authentication results.

E. Preserve Devices

Affected devices may include laptops, phones, servers, hard drives, USB drives, routers, and storage media. Avoid tampering with them. If possible, preserve forensic images rather than relying only on ordinary file copies.

F. Preserve Cloud Evidence

Many breaches involve cloud systems. Preserve:

  • Account activity logs.
  • Login history.
  • Admin changes.
  • IAM changes.
  • API key creation.
  • Download/export logs.
  • File-sharing activity.
  • New user creation.
  • MFA changes.
  • Password resets.
  • Bucket or database access logs.
  • Security alerts.

G. Document the Timeline

Prepare a clear chronology:

  1. When the system was last known secure.
  2. When suspicious activity was first noticed.
  3. Who discovered the breach.
  4. What systems were affected.
  5. What data may have been accessed.
  6. What actions were taken.
  7. Whether the attacker communicated.
  8. Whether money, credentials, or data were demanded.
  9. Whether data appeared online.
  10. Whether affected persons were notified.

H. Identify the Harm

The complaint should explain the damage suffered, such as:

  • Loss of money.
  • Business interruption.
  • Data loss.
  • Exposure of personal information.
  • Reputational harm.
  • Unauthorized transactions.
  • Identity theft.
  • Extortion.
  • Loss of access to accounts.
  • System downtime.
  • Cost of restoration.
  • Risk to customers, employees, or users.

VII. Evidence Commonly Needed for a Cybercrime Complaint

The strength of a cybercrime complaint often depends on the quality and integrity of digital evidence.

A. Identification Documents

For individuals:

  • Government-issued ID.
  • Contact details.
  • Proof of ownership or control of the affected account, device, or system.

For companies:

  • SEC or DTI registration, where applicable.
  • Mayor’s permit or business documents, where relevant.
  • Secretary’s certificate or authorization.
  • Company ID of representative.
  • Government ID of representative.
  • Proof of ownership, control, or administration of the breached system.

B. Proof of System Ownership or Authority

Law enforcement may ask for proof that the complainant has legal authority over the system.

Examples:

  • Domain registration records.
  • Hosting account records.
  • Cloud subscription records.
  • Service agreements.
  • Admin account details.
  • System architecture documents.
  • Internal appointment of system administrator.
  • Contracts with IT vendors.

C. Technical Evidence

Possible technical evidence includes:

  • IP addresses.
  • URLs.
  • Domain names.
  • Email addresses.
  • Usernames or handles.
  • Phone numbers.
  • Wallet addresses.
  • Transaction references.
  • Login timestamps.
  • Device identifiers.
  • MAC addresses, where relevant.
  • Malware samples.
  • Hash values.
  • Logs.
  • Database records.
  • Screenshots.
  • Forensic reports.
  • Incident response reports.

D. Communications from the Suspect

Preserve all communications, including:

  • Emails.
  • SMS.
  • Chat messages.
  • Social media messages.
  • Threats.
  • Extortion demands.
  • Payment instructions.
  • Telegram, WhatsApp, Messenger, Viber, Discord, or similar messages.
  • Voice notes.
  • Call logs.

E. Financial Records

If money was lost or demanded:

  • Bank statements.
  • E-wallet transaction history.
  • Payment confirmations.
  • Crypto transaction hashes.
  • Remittance slips.
  • Chargeback records.
  • Fraud reports.
  • Merchant account records.

F. Data Breach Evidence

If data was exposed:

  • Sample of compromised data.
  • Description of affected data fields.
  • Number or estimate of affected records.
  • Source database or system.
  • Evidence of exfiltration.
  • Links to leaked data, if discovered.
  • Screenshots of public exposure.
  • Dark web or leak site references, if available.
  • Internal data inventory.
  • Breach assessment report.

G. Chain of Custody

Digital evidence must be handled carefully. A clear chain of custody helps show that evidence was not altered.

Good practice includes documenting:

  1. Who collected the evidence.
  2. When it was collected.
  3. Where it was collected from.
  4. How it was collected.
  5. How it was stored.
  6. Who accessed it.
  7. Whether hashes were generated.
  8. Whether original devices were preserved.

VIII. How to Draft the Complaint-Affidavit

A criminal complaint usually requires a complaint-affidavit. This is a sworn written statement narrating the facts and attaching supporting evidence.

A. Basic Contents

A complaint-affidavit for a system and data breach should usually contain:

  1. Name, address, and personal details of the complainant.
  2. Authority to represent the victim, if applicable.
  3. Identification of the affected system, account, platform, or data.
  4. Statement of ownership, control, or lawful access.
  5. Description of the incident.
  6. Date and time of discovery.
  7. Timeline of events.
  8. Acts believed to have been committed.
  9. Evidence linking the acts to the suspect, if known.
  10. Damage suffered.
  11. Actions already taken.
  12. Request for investigation and prosecution.
  13. List of attachments.
  14. Verification and jurat before a notary or administering officer.

B. If the Suspect Is Unknown

Many cybercrime complaints begin with an unknown suspect. This is acceptable. The complaint may be filed against “John Doe,” “Jane Doe,” or unknown persons, with identifying details to be determined during investigation.

The complaint should include all available identifiers:

  • IP addresses.
  • Usernames.
  • Email addresses.
  • Phone numbers.
  • Account handles.
  • URLs.
  • Bank or e-wallet accounts.
  • Device names.
  • Transaction references.
  • Logs showing access.
  • Any repeated pattern of activity.

C. Avoid Overclaiming

A complaint should be factual. Avoid unsupported conclusions such as “X definitely hacked us” unless evidence supports that statement. Instead, say:

“Based on the logs, the unauthorized login originated from the following IP address…”

or

“The account used to demand payment identified itself as…”

or

“We believe the following person may be involved because…”

A carefully written complaint is more credible than an emotional or speculative one.

D. Attachments

Common attachments include:

  • IDs.
  • Authority documents.
  • Screenshots.
  • Logs.
  • Incident report.
  • Forensic report.
  • Email headers.
  • Chat transcripts.
  • Transaction records.
  • System ownership documents.
  • Data inventory.
  • Breach assessment.
  • Affidavits of IT personnel or witnesses.

IX. Where and How to File the Complaint

A. Filing with PNP Anti-Cybercrime Group

The complainant may go to the appropriate PNP cybercrime office and submit:

  1. Complaint-affidavit.
  2. Supporting evidence.
  3. Identification documents.
  4. Authority documents, for corporate complainants.
  5. Digital files in storage media, if required.
  6. Printed copies of key evidence.

The complainant may be interviewed by investigators. The investigator may ask for additional documents, technical logs, affidavits, or access to accounts or systems.

B. Filing with NBI Cybercrime Division

A complaint may also be filed with the NBI cybercrime office. The usual process involves:

  1. Initial evaluation.
  2. Submission of complaint-affidavit and evidence.
  3. Interview or sworn statement.
  4. Technical assessment.
  5. Request for additional records.
  6. Possible coordination with service providers or platforms.
  7. Case build-up for prosecutor referral.

C. Filing Directly with the Prosecutor

In some cases, a complainant may file directly with the prosecutor’s office. However, cybercrime cases often benefit from law enforcement assistance because investigators may be needed to trace accounts, preserve electronic evidence, coordinate with platforms, or conduct technical examination.

D. Choosing Between PNP and NBI

Both may handle cybercrime matters. Practical considerations include:

  • Which office is geographically accessible.
  • Which agency has already handled related incidents.
  • Whether urgent preservation or tracing is needed.
  • Whether there is an ongoing related investigation.
  • Whether the complainant has already filed with one agency.

Avoid filing the same facts in multiple offices without disclosure. Duplicative complaints may create confusion.

X. What Happens After Filing?

A. Initial Evaluation

Investigators will review whether the facts alleged constitute a cybercrime or related offense. They may check whether the evidence is sufficient, whether more information is needed, and whether urgent preservation requests are appropriate.

B. Case Build-Up

Law enforcement may conduct further investigation, which may include:

  • Technical analysis.
  • Tracing of accounts or IP addresses.
  • Requests to service providers.
  • Preservation of computer data.
  • Interviews of witnesses.
  • Examination of devices.
  • Coordination with banks, telcos, platforms, or hosting providers.
  • Identification of suspects.

C. Referral for Preliminary Investigation

If sufficient evidence is gathered, the matter may be referred to the prosecutor for preliminary investigation. The prosecutor determines whether probable cause exists.

D. Respondent’s Counter-Affidavit

If a respondent is identified, the prosecutor may require the respondent to submit a counter-affidavit. The complainant may be allowed to submit a reply-affidavit.

E. Resolution

The prosecutor may:

  1. Dismiss the complaint.
  2. Require more evidence.
  3. Find probable cause and file an information in court.
  4. Recommend charges for certain offenses but not others.

F. Court Proceedings

If charges are filed, the case proceeds in court. The prosecution must prove guilt beyond reasonable doubt. Digital evidence, witness testimony, expert testimony, logs, certifications, and forensic reports may become important.

XI. Preservation of Computer Data

In cybercrime cases, digital evidence can disappear quickly. Logs may be overwritten, accounts may be deleted, IP address assignments may rotate, and cloud records may expire.

Law enforcement may seek preservation of computer data. Preservation is different from disclosure. It generally aims to prevent relevant data from being deleted while lawful processes are pursued.

A complainant should act quickly when the evidence depends on third-party platforms, such as:

  • Social media companies.
  • Email providers.
  • Cloud hosting providers.
  • Banks.
  • E-wallet companies.
  • Telecommunications providers.
  • Domain registrars.
  • Web hosts.
  • Payment processors.
  • Online marketplaces.
  • Messaging platforms.

Delay can make attribution difficult.

XII. Search, Seizure, and Examination of Computer Data

Cybercrime investigations may require lawful access to devices, servers, accounts, or stored data. Search and seizure of computer data generally requires compliance with constitutional and procedural safeguards.

Important principles include:

  1. Searches must generally be supported by lawful authority.
  2. Warrants must describe the place to be searched and items to be seized with sufficient particularity.
  3. Digital evidence must be handled carefully to preserve integrity.
  4. Forensic examination may be conducted by authorized personnel.
  5. Overbroad searches may be challenged.

For complainants, the practical point is this: do not expect law enforcement to instantly obtain private platform records without legal process. Investigators often need to follow formal procedures.

XIII. Reporting a Personal Data Breach

When the breached data includes personal information, especially sensitive personal information, the organization controlling the data may have obligations under the Data Privacy Act.

A. What Is Personal Information?

Personal information generally refers to information from which an individual’s identity is apparent or can be reasonably and directly ascertained, or when combined with other information would identify an individual.

Examples:

  • Name.
  • Address.
  • Contact number.
  • Email address.
  • Government ID number.
  • Account details.
  • Photos.
  • Location data.
  • Employment records.

B. What Is Sensitive Personal Information?

Sensitive personal information includes categories such as:

  • Race or ethnic origin.
  • Marital status.
  • Age.
  • Color.
  • Religious, philosophical, or political affiliations.
  • Health information.
  • Education.
  • Genetic or sexual life information.
  • Government-issued identifiers.
  • Tax returns.
  • Information specifically classified by law as sensitive.

C. When Breach Notification May Be Required

A breach may require notification to the National Privacy Commission and affected data subjects when legal thresholds are met, especially where sensitive personal information or information that may enable identity fraud is involved and there is a real risk of serious harm.

The organization should assess:

  1. What data was affected.
  2. Whether the data was encrypted or protected.
  3. Whether the data was actually accessed or exfiltrated.
  4. Whether affected individuals are likely to suffer harm.
  5. Whether the breach involves sensitive personal information.
  6. Whether notification is legally required.
  7. Whether delay may increase harm.

D. Relationship Between Police Complaint and NPC Notification

A police complaint seeks criminal investigation. An NPC notification or complaint addresses privacy compliance and protection of data subjects.

Both may be necessary.

For example:

  • A company whose customer database was hacked may file a cybercrime complaint with PNP-ACG or NBI-CCD.
  • The same company may also need to notify the NPC and affected individuals if legal requirements are met.

XIV. Special Considerations for Companies and Organizations

A. Internal Incident Response

Before or alongside filing, organizations should activate an incident response process:

  1. Identify affected systems.
  2. Contain unauthorized access.
  3. Preserve evidence.
  4. Reset compromised credentials.
  5. Revoke suspicious tokens and API keys.
  6. Patch exploited vulnerabilities.
  7. Review logs.
  8. Segment affected networks.
  9. Engage forensic support where appropriate.
  10. Prepare legal and regulatory reports.

B. Coordination Between Legal, IT, Management, and DPO

A breach is multidisciplinary. The following should coordinate:

  • Legal counsel.
  • Data protection officer.
  • IT security team.
  • Management.
  • Human resources, if employees are involved.
  • Communications team.
  • External forensic consultants.
  • Insurance provider, if cyber insurance exists.
  • Regulators, where required.

C. Vendor Breaches

If the breach occurred through a vendor, cloud provider, software supplier, outsourced processor, or contractor, the company should review:

  • Data processing agreements.
  • Service contracts.
  • Security obligations.
  • Breach notification clauses.
  • Audit rights.
  • Liability and indemnity clauses.
  • Confidentiality provisions.
  • Subprocessor obligations.

D. Insider Breaches

If the suspected offender is an employee, contractor, officer, or former staff member, additional steps may be needed:

  1. Preserve employment records.
  2. Review access logs.
  3. Suspend or revoke access.
  4. Conduct administrative investigation.
  5. Observe due process in employment actions.
  6. File criminal complaint where warranted.
  7. Protect confidentiality during investigation.

An insider breach may involve cybercrime, data privacy violations, theft, qualified theft, breach of trust, unfair competition, or violation of company policies.

XV. Common Mistakes in Filing Cybercrime Complaints

1. Waiting Too Long

Delay may cause loss of logs, deletion of accounts, dissipation of funds, or inability to trace IP addresses.

2. Filing Without Evidence

A bare allegation that “I was hacked” is often insufficient. The complaint should include specific facts and supporting documents.

3. Destroying Evidence During Cleanup

Formatting a device, deleting suspicious files, or reinstalling systems before evidence collection may harm the case.

4. Relying Only on Screenshots

Screenshots help but should be supported by logs, headers, records, forensic reports, or platform data.

5. Publicly Accusing a Suspect Without Proof

Public accusations can expose the complainant to defamation, privacy, or other legal risks.

6. Paying Ransom Without Documentation

If payment is made, preserve all communications and transaction records. Payment does not guarantee recovery and may complicate legal and operational issues.

7. Ignoring Data Privacy Obligations

A company may focus on the hacker and forget duties to affected data subjects and regulators.

8. Not Authorizing the Corporate Representative

Police or prosecutors may require proof that the person filing for a company is duly authorized.

9. Mixing Technical Conclusions with Facts

Technical evidence should be clearly explained. Avoid unsupported leaps from an IP address or username to a person’s identity.

10. Failing to Preserve Original Digital Files

Printed screenshots or copied text may not be enough. Preserve originals, metadata, logs, and file hashes where possible.

XVI. Practical Checklist Before Going to the Police

A. For Individual Victims

Bring or prepare:

  • Government-issued ID.
  • Written narrative of what happened.
  • Screenshots.
  • Suspicious emails with headers.
  • Chat messages.
  • Account recovery notices.
  • Login alerts.
  • Transaction records.
  • Proof of account ownership.
  • URLs or usernames involved.
  • Phone numbers, emails, or handles used by the suspect.
  • Device involved, if relevant.
  • Any demand for money or threats.
  • Timeline of events.

B. For Companies or Organizations

Bring or prepare:

  • Complaint-affidavit.
  • Secretary’s certificate or authorization.
  • Representative’s ID.
  • Company registration documents.
  • Incident report.
  • Technical logs.
  • Forensic report, if available.
  • Screenshots.
  • Data breach assessment.
  • List of affected systems.
  • List or description of compromised data.
  • Evidence of damage.
  • Vendor reports, if applicable.
  • Data privacy assessment.
  • Proof of system ownership or control.
  • Contact person for technical coordination.

XVII. Elements to Explain Clearly in the Complaint

A strong complaint should answer these questions:

  1. What system was breached?
  2. Who owns or controls the system?
  3. Who had authority to access it?
  4. What unauthorized activity occurred?
  5. When did it occur?
  6. How was it discovered?
  7. What evidence shows unauthorized access or interference?
  8. What data was accessed, copied, altered, deleted, or exposed?
  9. What damage resulted?
  10. Is the suspect known or unknown?
  11. What identifiers point to the suspect?
  12. What immediate action is requested from law enforcement?

XVIII. Sample Structure of a Complaint-Affidavit

Below is a general structure. It should be adapted to the facts.

Republic of the Philippines [City/Province]

Complaint-Affidavit

I, [Name], of legal age, Filipino, with address at [address], after being duly sworn, state:

  1. I am the [position/title] of [company/entity], or I am the owner/user of [account/system].
  2. I am executing this affidavit to file a complaint for cybercrime arising from unauthorized access to [system/account/database] and unauthorized acquisition, alteration, deletion, or disclosure of data.
  3. On or about [date and time], I/we discovered [describe suspicious activity].
  4. The affected system/account is [describe system], which is owned, administered, or lawfully controlled by [complainant/entity].
  5. Upon review of available records, we found the following: [summarize logs, IPs, timestamps, access events, transactions, messages].
  6. The unauthorized activity resulted in [describe harm].
  7. Attached are copies of relevant documents, screenshots, logs, and records.
  8. The person responsible is currently unknown, or the person believed to be responsible is [name/identifier], based on [facts].
  9. I respectfully request that the proper authorities investigate the incident and prosecute the person or persons responsible for violations of applicable laws, including the Cybercrime Prevention Act of 2012, the Data Privacy Act of 2012, the Revised Penal Code, and other applicable laws.

IN WITNESS WHEREOF, I have signed this affidavit on [date] at [place].

[Signature] [Name]

Subscribed and sworn to before me this [date] at [place], affiant exhibiting competent proof of identity.

XIX. Legal Theories Commonly Raised in a System and Data Breach Complaint

Depending on the facts, the complaint may allege one or more of the following:

A. Unauthorized Access

Where someone entered the system, account, database, server, or application without permission.

B. Unauthorized Copying or Exfiltration

Where data was copied, downloaded, transferred, or extracted without authority.

C. Data Alteration or Deletion

Where records were changed, erased, encrypted, corrupted, or suppressed.

D. System Disruption

Where the attacker caused downtime, disabled services, crashed applications, or blocked normal operations.

E. Identity Theft

Where personal information was used to impersonate a person or gain access to accounts.

F. Fraud

Where the breach was used to obtain money, goods, services, benefits, credentials, or access.

G. Extortion or Threats

Where the attacker demanded payment or threatened to release data, damage systems, or harm reputation.

H. Privacy Violation

Where personal data was accessed, disclosed, or processed without lawful basis.

I. Insider Misuse

Where a person with limited authority exceeded authorized access or used data for improper purposes.

XX. Proving Unauthorized Access

Unauthorized access may be shown by direct or circumstantial evidence.

Relevant evidence includes:

  • Login records.
  • Failed login attempts.
  • New device alerts.
  • IP addresses.
  • Geolocation data.
  • Session records.
  • User-agent strings.
  • MFA bypass records.
  • Password reset logs.
  • Admin activity logs.
  • File access logs.
  • Database query logs.
  • Account recovery records.
  • Witness testimony.
  • Admissions or communications.
  • Forensic artifacts.
  • Unusual access outside normal work hours.
  • Access after employment ended.
  • Access from unauthorized locations.

Proof does not always require a video of the suspect hacking the system. Cybercrime cases often rely on logs, records, tracing, and circumstantial evidence.

XXI. Challenges in Attribution

Attribution means identifying who actually committed the breach. This is often difficult because attackers may use:

  • VPNs.
  • Proxies.
  • Tor.
  • Compromised machines.
  • Fake accounts.
  • Stolen credentials.
  • Public Wi-Fi.
  • Spoofed identities.
  • Foreign infrastructure.
  • Disposable phone numbers.
  • Cryptocurrency wallets.
  • Mule accounts.

An IP address alone may not prove identity. It may point to a network, device, subscriber, VPN provider, or compromised system. Investigators usually need to connect multiple pieces of evidence.

Examples of stronger attribution evidence include:

  1. IP logs matched with subscriber records.
  2. Account activity tied to a verified phone number or email.
  3. Financial trail to a known recipient.
  4. Reuse of usernames, handles, or devices.
  5. Messages admitting involvement.
  6. Possession of stolen data.
  7. Insider access records.
  8. CCTV or physical access evidence.
  9. Employment or contractor records.
  10. Recovery of malware or tools from a suspect device.

XXII. Jurisdiction and Venue

Cybercrime often crosses city, provincial, and national borders. The victim may be in one place, the server in another, the suspect elsewhere, and the platform abroad.

In the Philippine context, jurisdiction may be considered based on factors such as:

  • Where the complainant resides or operates.
  • Where the damage occurred.
  • Where the system is located or administered.
  • Where the unauthorized access had effects.
  • Where the offender acted, if known.
  • Where data was stored or processed.
  • Where the fraudulent transaction occurred.

Because cybercrime may involve multiple locations, law enforcement and prosecutors will evaluate proper venue and jurisdiction based on the facts.

XXIII. If the Platform or Suspect Is Abroad

Many cyber incidents involve foreign platforms or foreign infrastructure. This does not automatically prevent filing in the Philippines, especially if the victim, damage, data subjects, or affected system has a Philippine connection.

However, foreign evidence may require:

  • Platform preservation requests.
  • Mutual legal assistance.
  • Coordination with foreign law enforcement.
  • Requests through proper legal channels.
  • Compliance with foreign privacy and data laws.
  • Longer investigation timelines.

Complainants should preserve all locally available evidence immediately because foreign data may not be easily obtained.

XXIV. Filing When the Breach Involves Social Media or Email Accounts

For account takeovers, the complaint should include:

  • Account username, email, or profile URL.
  • Proof of ownership.
  • Date of last authorized access.
  • Date of takeover.
  • Password reset notices.
  • Login alerts.
  • Recovery email or phone changes.
  • Messages sent by attacker.
  • Screenshots of unauthorized posts.
  • Reports submitted to the platform.
  • Any extortion demand.
  • Any financial loss or impersonation.

The victim should also attempt platform recovery, enable multi-factor authentication, revoke unknown sessions, and preserve records before changes disappear.

XXV. Filing When the Breach Involves a Website or Server

For websites or servers, include:

  • Domain name.
  • Hosting provider.
  • Server IP address.
  • Admin panel involved.
  • Date and time of defacement or intrusion.
  • Server logs.
  • Web access logs.
  • Database logs.
  • File modification timestamps.
  • Malware samples.
  • Backdoor files.
  • Screenshots of defacement.
  • Backup records.
  • Vulnerability exploited, if known.
  • Remediation steps taken.
  • Impact on users or customers.

XXVI. Filing When the Breach Involves Ransomware

For ransomware, preserve:

  • Ransom note.
  • Encrypted file samples.
  • Malware sample, if available.
  • Communications with attacker.
  • Payment demand.
  • Wallet address.
  • Email or chat handle of attacker.
  • Affected systems.
  • Timeline of encryption.
  • Logs showing intrusion path.
  • Backups affected.
  • Business interruption records.
  • Costs incurred.

Avoid making unsupported statements that paying will restore data. Payment decisions require legal, operational, financial, and risk assessment.

XXVII. Filing When the Breach Involves Employee or Insider Misuse

For insider incidents, include:

  • Employment records.
  • Job description.
  • Access privileges.
  • Confidentiality agreement.
  • IT policies.
  • Acceptable use policy.
  • Resignation or termination dates.
  • Access logs.
  • Download logs.
  • Email forwarding records.
  • USB activity logs.
  • CCTV or physical access logs.
  • Witness statements.
  • Evidence of unauthorized use or disclosure.
  • Damage to the company.

The organization should also observe labor due process if employment discipline is contemplated.

XXVIII. Filing When the Breach Involves Customers or Users

If customer data is affected, the complaint should describe:

  • Number of affected users.
  • Categories of data involved.
  • Whether passwords were hashed or plaintext.
  • Whether financial data was involved.
  • Whether government IDs were involved.
  • Whether sensitive personal information was involved.
  • Whether data was exfiltrated or merely accessed.
  • Whether users suffered fraud or identity theft.
  • Notification steps taken.
  • Remediation measures.

This is important not only for criminal investigation but also for privacy compliance.

XXIX. Coordination with Banks, E-Wallets, Telcos, and Platforms

Where the breach leads to unauthorized transactions, immediate coordination with relevant entities is important.

Examples:

  • Banks may freeze accounts or investigate transactions.
  • E-wallet providers may trace wallet transfers.
  • Telcos may assist with SIM-related issues through proper process.
  • Platforms may preserve or suspend malicious accounts.
  • Hosting providers may preserve logs.
  • Domain registrars may assist with domain abuse complaints.
  • Payment processors may investigate merchant fraud.

A police report or complaint reference may help when requesting assistance from private entities.

XXX. Admissibility of Digital Evidence

Digital evidence must be authenticated. Courts may require proof that the electronic evidence is what it purports to be.

Important considerations include:

  1. Source of the record.
  2. Method of extraction.
  3. Integrity of the file.
  4. Metadata.
  5. Hash values.
  6. Chain of custody.
  7. Testimony of the person who collected the evidence.
  8. System reliability.
  9. Certifications, where applicable.
  10. Compliance with rules on electronic evidence.

Screenshots may be challenged if they are incomplete, altered, or unsupported. Original electronic records and proper authentication are stronger.

XXXI. Role of Expert Witnesses and Forensic Reports

In complex breaches, expert assistance may be necessary.

A forensic report may explain:

  • How the breach occurred.
  • What vulnerability was exploited.
  • What systems were affected.
  • What data was accessed.
  • Whether data was exfiltrated.
  • What logs show.
  • Whether malware was used.
  • Whether files were altered.
  • Whether credentials were compromised.
  • Whether the evidence suggests insider or external access.

Expert testimony may help prosecutors and courts understand technical issues.

XXXII. Civil Remedies and Other Legal Actions

A criminal complaint is not the only remedy. Depending on the case, a victim may also consider:

  1. Civil action for damages.
  2. Injunction to stop disclosure or misuse.
  3. Breach of contract claims.
  4. Employment disciplinary action.
  5. Data privacy complaint.
  6. Insurance claim.
  7. Regulatory report.
  8. Takedown requests.
  9. Demand letters.
  10. Internal administrative proceedings.
  11. Vendor indemnity claims.

Criminal prosecution punishes offenses; civil and regulatory actions may address compensation, compliance, and prevention.

XXXIII. Demand Letters and Settlement

In some cases, a complainant may consider a demand letter. This is common in insider misuse, vendor breaches, unauthorized disclosure, or business disputes.

However, demand letters should be handled carefully. A poorly worded demand may create risks, especially if it appears threatening, defamatory, or coercive.

A demand letter should generally:

  • State facts.
  • Identify obligations breached.
  • Demand preservation or return of data.
  • Demand cessation of unauthorized use.
  • Demand deletion or turnover, where appropriate.
  • Reserve rights.
  • Avoid unsupported criminal accusations.
  • Avoid unlawful threats.

Settlement does not automatically erase criminal liability where public offenses are involved. Prosecutorial discretion and legal rules still apply.

XXXIV. Confidentiality During Investigation

A breach investigation may involve sensitive data. The complainant should avoid unnecessary public disclosure of:

  • Personal data of affected individuals.
  • System vulnerabilities.
  • Security architecture.
  • Credentials.
  • Logs containing private information.
  • Names of suspects without sufficient basis.
  • Details that may help attackers.
  • Trade secrets.
  • Ongoing investigative steps.

Public communications should be coordinated with legal, management, technical, and privacy teams.

XXXV. Incident Response and Legal Response Should Work Together

A common mistake is treating the police complaint as separate from technical containment. The two should be coordinated.

For example:

  • IT should preserve logs before rotating or deleting them.
  • Legal should identify required notifications.
  • Management should approve authority documents.
  • DPO should assess privacy obligations.
  • Investigators should receive technically understandable evidence.
  • Communications should avoid admissions or speculation.
  • Remediation should not destroy evidence.

XXXVI. Breach Notification to Affected Persons

Where notification is legally required or appropriate, affected persons should generally be told:

  1. Nature of the breach.
  2. Type of data involved.
  3. Possible consequences.
  4. Measures taken by the organization.
  5. Steps individuals can take to protect themselves.
  6. Contact details for assistance.
  7. Whether law enforcement or regulators have been notified.

The notice should be accurate, timely, and not misleading.

XXXVII. Cybersecurity Remediation After Filing

Filing a complaint does not secure the system. Remediation should include:

  • Password resets.
  • MFA enforcement.
  • Token revocation.
  • Patch management.
  • Vulnerability scanning.
  • Endpoint cleanup.
  • Network segmentation.
  • Access review.
  • Least privilege enforcement.
  • Backup restoration.
  • Monitoring for persistence.
  • Rotation of API keys and secrets.
  • Review of admin accounts.
  • Review of firewall rules.
  • Malware removal.
  • Security awareness measures.
  • Updating incident response plans.

The complainant should document all remedial steps.

XXXVIII. Time Sensitivity and Prescription

Cybercrime and related offenses are subject to rules on prescription, but the practical concern is usually evidence loss rather than legal prescription. Digital evidence can vanish quickly. Early reporting improves the chance of preservation and tracing.

XXXIX. Practical Tips for a Strong Complaint

  1. Prepare a clear, chronological narrative.
  2. Attach technical evidence in organized folders.
  3. Label each attachment.
  4. Use plain language to explain technical terms.
  5. Include a summary table of suspicious access events.
  6. Include a list of compromised accounts or systems.
  7. Include a list of affected data categories.
  8. Bring both printed and digital copies.
  9. Preserve originals.
  10. Identify technical contact persons.
  11. Avoid exaggeration.
  12. Disclose if remedial actions altered systems.
  13. State whether the breach is ongoing.
  14. State whether urgent preservation is needed.
  15. Keep a copy of everything submitted.

XL. Suggested Evidence Folder Organization

For organized submission, the complainant may prepare folders such as:

  1. 01_Complaint-Affidavit
  2. 02_Authority-and-IDs
  3. 03_Timeline
  4. 04_System-Ownership
  5. 05_Logs
  6. 06_Screenshots
  7. 07_Email-Headers
  8. 08_Chat-and-Threats
  9. 09_Financial-Transactions
  10. 10_Data-Breach-Assessment
  11. 11_Forensic-Report
  12. 12_Witness-Affidavits
  13. 13_Remediation-Steps
  14. 14_Other-Supporting-Documents

Each file should have a descriptive filename, such as:

  • Firewall_Log_2026-05-10_to_2026-05-12.csv
  • Unauthorized_Login_Alert_2026-05-11.pdf
  • Ransom_Message_Screenshot_001.png
  • Email_Header_Phishing_Message.eml
  • Incident_Timeline.pdf

XLI. Sample Incident Timeline Table

Date/Time Event Evidence
May 10, 2026, 9:42 PM Multiple failed login attempts detected Auth logs
May 10, 2026, 10:03 PM Successful login from unfamiliar IP Server logs
May 10, 2026, 10:15 PM Admin password changed Admin activity log
May 10, 2026, 10:22 PM Database export initiated Database audit log
May 11, 2026, 8:10 AM Breach discovered by IT staff Incident report
May 11, 2026, 9:00 AM Account access revoked Remediation log
May 11, 2026, 2:00 PM Complaint materials prepared Evidence folder

XLII. Sample List of Offenses to Discuss with Investigators or Counsel

Depending on facts, the complainant may ask investigators or counsel to evaluate:

  1. Illegal access.
  2. Illegal interception.
  3. Data interference.
  4. System interference.
  5. Misuse of devices.
  6. Computer-related forgery.
  7. Computer-related fraud.
  8. Computer-related identity theft.
  9. Unlawful processing of personal information.
  10. Unauthorized disclosure.
  11. Malicious disclosure.
  12. Concealment of security breach involving sensitive personal information.
  13. Estafa.
  14. Theft or qualified theft.
  15. Falsification.
  16. Threats or coercion.
  17. Violation of access device laws.
  18. Breach of confidentiality obligations.
  19. Civil damages.

The exact charges should be based on evidence and prosecutorial evaluation.

XLIII. Important Distinctions

A. Breach vs. Vulnerability

A vulnerability is a weakness. A breach is an actual unauthorized access, disclosure, or compromise. A complaint should show not only that a weakness existed but that an unlawful act occurred.

B. Access vs. Exfiltration

Unauthorized access means entry or access without authority. Exfiltration means data was taken out or copied. A case may involve access even if exfiltration is not yet proven.

C. Suspicion vs. Evidence

Suspicion may justify investigation. Evidence supports prosecution. The complaint should clearly separate what is known, what is inferred, and what remains unknown.

D. Data Controller vs. Data Processor

In privacy law, the entity that determines the purpose and means of processing is generally treated differently from a service provider processing data on its behalf. This matters for breach notification, liability, and contractual duties.

E. Criminal Liability vs. Regulatory Liability

The hacker may face criminal liability. The breached organization may still face regulatory scrutiny if it failed to implement reasonable data protection measures.

XLIV. Frequently Asked Questions

1. Can I file a complaint even if I do not know who hacked me?

Yes. Many cybercrime complaints begin with an unknown suspect. Provide all identifiers and evidence available.

2. Is a screenshot enough?

Usually, a screenshot is helpful but not enough by itself. Logs, headers, metadata, transaction records, and original electronic files are stronger.

3. Should I report to PNP or NBI?

Both may handle cybercrime complaints. Choose the agency most appropriate and accessible, and avoid duplicative filings unless there is a legitimate reason and proper disclosure.

4. Do I need a lawyer?

A lawyer is not always required to make an initial report, but legal assistance is highly advisable for serious breaches, corporate incidents, personal data breaches, financial losses, insider cases, or incidents involving possible regulatory liability.

5. Should a company notify the National Privacy Commission?

If the breach involves personal data, especially sensitive personal information or risk of serious harm, the company should evaluate whether notification to the NPC and affected data subjects is required.

6. What if the breach was caused by a former employee?

The company may pursue criminal, civil, administrative, employment, and contractual remedies, depending on evidence.

7. Can deleted logs still be recovered?

Possibly, depending on backups, retention systems, forensic artifacts, cloud logs, or third-party records. Immediate forensic action improves chances.

8. Can I post online naming the hacker?

This is risky unless supported by clear evidence. Public accusations may expose the complainant to legal claims.

9. What if the hacker is outside the Philippines?

A Philippine complaint may still be possible if the victim, harm, data subjects, system, or effects are connected to the Philippines. Foreign evidence may require formal cooperation.

10. What if the data has already been leaked online?

Preserve evidence of the leak, including URLs, screenshots, timestamps, sample data, and access details. Avoid downloading or redistributing more personal data than necessary.

XLV. Conclusion

Filing a police cybercrime complaint for a system and data breach in the Philippines requires both legal and technical preparation. The complainant must show what system was affected, what unauthorized act occurred, what data was compromised, what damage resulted, and what evidence supports the allegation.

The most important practical steps are to preserve evidence, document the timeline, secure authority to file, prepare a complaint-affidavit, organize technical records, and approach the appropriate cybercrime law enforcement unit. Where personal data is involved, the complainant must also consider obligations under the Data Privacy Act and possible notification to the National Privacy Commission and affected individuals.

A well-prepared complaint does more than accuse. It helps investigators understand the incident, preserve volatile evidence, identify suspects, trace digital activity, and determine the proper criminal, civil, regulatory, and remedial actions.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login