By Anna Gabriela A. Mogato
Following yet another massive global data breach, the National Privacy Commission (NPC) has ordered Facebook management to submit “a more comprehensive data breach notification report”, and take accountability for the breach that has affected over 750 thousand Filipino users.
Facebook believes their system was breached on September 12, two days before data began being siphoned. By Sept. 25, Facebook management caught wind of the attack and launched countermeasures, allegedly resolving the issue three days later. On Sept. 29, the NPC was notified of the event, a day after publishing an update that estimated over 50 million accounts were compromised worldwide.
On Oct. 13, Facebook filed another notice to the NPC, amending that figure to 30 million affected users. Of those 30 million users, 755,973 accounts were based in the Philippines. The report to the NPC found that:
– 387,322 Filipino users had their basic profile information compromised,
– 361,227 Filipino users had more advanced personal information compromised,
– While 7,424 Filipino users had timeline posts, lists of friends, joined groups, and names in recent Messenger conversations compromised.
The attack was facilitated through an exploit of Facebook’s “View As” feature, through which hackers managed to secure access tokens to user accounts without their knowledge or consent. An access token refers to a “key” to one’s account without the need for the login, password and two-factor authentication codes.
In their letter, Facebook noted that they don’t foresee any more extensive harm to Philippine accounts.
The NPC, unconvinced, ordered Facebook to provide “identity theft and phishing insurance for the affected Filipino data subjects.” If Facebook cannot comply with giving out insurance, it will have to establish a help desk for Filipinos to turn to for privacy-related matters within six months of receiving the order.
NPC also said that Facebook will have to implement a program to further spread the awareness on identity theft and fishing.
“The level of awareness for spam, phishing, and identity theft in the Philippines is not the same as those of the United States and the other developed nations; considerations of risk must always consider the cultural milieu in which the risk is appreciated,” NPC said in its order.