Data protection body orders Facebook to act on data breach that affected 755,973 PH-based users

In relation to Facebook’s data breach in September that affected hundreds of thousands of Philippine-based users, the National Privacy Commission, an independent body mandated to monitor and ensure compliance of the country with international standards set for data protection, ordered the social networking company to immediately address and rectify the issue, as well as, individually notify affected users.

The order, which was made available on NPC’s Facebook page, also orders Facebook to “submit a comprehensive Data Breach Notification Report to the Commission, provide identity theft and phishing insurance for affected Filipino data subjects, establish a dedicated helpdesk/help center for Filipino data subjects on privacy-related matters concerning Facebook, located in the Philippines and with a local number, within six months from receipt of the Order, implement a program in the Philippines or otherwise directed to Filipino data subjects to increase awareness on identity theft and phishing, provide evidence of compliance with the foregoing.

On Sept. 28, Facebook revealed that it discovered a vulnerability in its “View As” feature and personal credentials of 50 million users may have been compromised including email address, phone number, and location, among others.

Consequently, many Philippine-based users also reported that they have logged out of their user accounts days before Facebook’s announcement. The social network said it was still investigating the case and assured that they have not detected yet if personal information has been used maliciously.

On Oct. 13, Facebook informed the NPC that of the 30 million people with stolen access tokens, they now believe that a total of 755,973 PH-based Facebook user accounts may have been compromised.

In a conference call held on Oct. 2, “Facebook, through counsel, informed this Commission that individual notification was not deemed ripe as the conditions for individual notification under Circular No. 16-03 were not yet met. At the same meeting, Facebook expressed a commitment to abide by Philippine data privacy laws.”

Facebook categorizes the affected users into three distinct groups, or “buckets” based on the personal information the perpetrator may have accessed.

“The first bucket involves an estimated 387,322 Philippine-based user accounts whose basic profile information may have been compromised. Basic profile information consists of a user’s registered full name, email address, and phone number (if one was so associated with the account).”

The second bucket affects around 361,227 Philippine-based user accounts. In addition to the basic profile information potentially obtained as with the first group of users, the perpetrator may have also obtained personal details such as devices used to access Facebook, list of URLs the user entered into the website field of their profile, recent search queries on Facebook, and up to the top 500 accounts that the user follows, among the long list of details.

“The third bucket involves 7,424 Philippine-based users. In addition to the data potentially obtained in relation to the first two groups of users, further information that may have been exposed include the posts on their timeline, their list of friends, groups they are members of, and the names of recent Messenger conversations.”

NPC said that in its understanding, “the breach exposed the personal information of persons with accounts that fall under any of the three buckets, to different degrees. Be that as it may, Facebook contends in its letter dated 13 October 2018 that there is no material risk of more extensive harm occurring.”

NPC justified one of its orders to “implement a program in the Philippines or otherwise directed to Filipino data subjects to increase awareness on identity theft and phishing” because “the risk of serious harm to Filipino data subjects is more than palpable… As Facebook itself notes, the main potential impact for affected users will be an increased likelihood of getting targeted for professional ‘spam’ operations and ‘phishing’ attacks.”

The commission said that Facebook must take into consideration that “risk must always consider the cultural milieu in which the risk is appreciated. For instance, this Commission takes notice that identity verification systems throughout the Philippines are quite weak.”

Image from Pixabay