755,973 FB accounts in PH hacked
Personal information of more than 755,000 Facebook users in the Philippines was compromised last month, making them likely targets of spam operations and phishing attacks, according to the National Privacy Commission (NPC).
The NPC made the disclosure after a compliance order was filed against Facebook Inc., the first of its kind following a data breach in September that compromised the personal information of tens of millions of users across the globe.
An independent body created under Republic Act No. 10173, or the Data Privacy Act of 2012, the NPC seeks to ensure that personal information in the government and private sector’s information and communications systems are secured and protected.
User data were compromised in different extents, according to the agency, citing an update it received from Facebook on Oct. 13.
Compromised data
A total of 755,973 users were affected, with large numbers having had their online footprint, such as search queries and Facebook posts exposed.
Philippine-based user accounts numbering 387,322 had their basic profile information compromised, such as full name, e-mail address and phone number.
Others might have had it worse.
On top of having their basic profile information known, 361,227 accounts also had other pieces of data breached, such as location, recent search queries on Facebook, and the top 500 accounts they follow.
A total of 7,424 users had more information exposed, such as Facebook posts, list of friends, groups they are members of, and the names of people they recently chatted with.
The world’s largest online social network, with 1.5 billion daily users, claimed that the vulnerability was fixed on Sept. 28, three days after it was discovered.
Affected users should have been notified through their Facebook app about the issue.
But a representative from the NPC said the notification did not detail the extent of compromise.
In a statement on Sept. 29, the NPC said Facebook terminated the log-in sessions of those who were seen affected by the breach, having them enter their login credentials again.
The company, which is still reeling from the earlier Cambridge Analytica data breach scandal, insisted that there was “no material risk of more extensive harm occurring,” the NPC said. It, however, does not agree with Facebook on this matter.
“[T]he risk of serious harm to Filipino data subjects is more than palpable,” said Privacy Commissioner Raymund Liboro in the compliance order.
In effect, Filipino users become more likely targets of cyberattacks.
Spam, phishing
“As Facebook itself notes, the main potential impact for affected users will be an increased likelihood of getting targeted for professional ‘spam’ operations and ‘phishing’ attacks,” Liboro said.
He said Facebook should consider the fact that a lot of Filipinos were unaware of how harmful the attacks were, even though the risk and vulnerability of Filipinos were one of the highest in the world.
The level of awareness of such risks in the Philippines is not the same as that in developed countries.
Cultural gap
Considerations should be made to take into account the “cultural milieu in which the risk is appreciated,” Liboro said.
“The commission … deems it necessary that Facebook contemplate this cultural gap when notifying the affected data subjects. Facebook should modify its approach and provide a more conducive method that enables affected Filipino data subjects to better grasp the risks they face,” he added.
What happens now?
It remains to be seen if the data breach would prompt the NPC to file any charges against the popular social networking company.
Investigation of a separate breach is still going on, the Cambridge Analytica scandal, in which the data of millions of users worldwide—including more than a million Filipinos—were “improperly shared.”
In this most recent case of data breach, Facebook was directed to perform certain measures, according to the compliance order.
Identity theft insurance
This included telling Facebook to make a choice: either provide an identity theft and phishing insurance for affected users, or put up a helpdesk in the Philippines within six months.
Liboro also told Facebook to submit a more comprehensive report about data breach notification, notify those who were affected in accordance with NPC rules, implement a program directed at Filipino users to increase awareness of identity theft and phishing, and provide evidence that it had indeed complied with these orders.
