Facebook told to notify 700k Filipinos hit by data breach
The National Privacy Commission (NPC) has ordered Facebook to individually notify the more than 700,000 Filipino users who had been affected by a data breach about two weeks ago.
In an order dated October 17, NPC Commissioner Raymund Liboro compelled the social networking site to notify the affected data subjects from the breach, and submit a more comprehensive data breach notification report to the Commission.
The NPC also asked Facebook to provide identity theft and phishing insurance for affected Filipino data subjects, or establish a dedicated helpdesk/help center located in the Philippines and with a local number, within six months from receipt of the order; and implement a program in the Philippines or otherwise directed to Filipino data subjects to increase awareness on identity theft and phishing.
The order was in relation to an ongoing investigation on Facebook concerning the exploitation of the “View As” feature to extract a user’s access tokens without their consent.
Guy Rosen, Facebook vice president for Product Management, announced on September 28 that they discovered a security issue affecting almost 50 million accounts last September 25.
He said the attacks “exploited a vulnerability in Facebook’s code that impacted ‘View As’ a feature that lets people see what their own profile looks like to someone else.”
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” he added in a statement.
He also said the vulnerability had been fixed and Facebook had notified all its users via an in-app update message also on September 28, or three days after the attack.
However, the NPC said in its order that in an October 2 conference call with Facebook officials, the company, through its counsel, bared that “individual notification was not deemed ripe as the conditions for individual notification under Circular No. 16-03 were not yet met.”
This means Facebook users affected by the data breach were not individually notified of the breach.
“On 13 October, Facebook informed the National Privacy Commission that of the 30 million people with stolen access tokens, they now believe that a total of 755,973 Philippine-based Facebook user accounts may have been compromised that forced Facebook to log out users from their accounts last September 28,” the NPC added.
The NPC also noted that Facebook categorized the affected users into three distinct groups, or “buckets” based on the personal information the perpetrators may have accessed from their accounts.
Depending on the “bucket,” the perpetrators may have obtained data ranging from the basic profile information, work history, website list, list of most recent places where the user has checked-in, up to the top 500 accounts that the user follows, posts on their timeline, their list of friends, groups they are members of, up to the names of recent Messenger conversations.
Compromised accounts
According to the NPC, some 387,322 Philippine-based user accounts had their basic profile information compromised, including their full name, email address, and phone number.
Others, however, might have had it worse.
On top of having their basic profile information compromised, the NPC said 361,227 accounts also had other pieces of data breached — their location, recent search queries on Facebook as well as the top 500 accounts they follow.
Meanwhile, 7,424 users had further information exposed, including their Facebook posts, list of friends, groups they are members of, and names of people who they recently chatted with.
The NPC said Facebook contended in its letter dated October 13 that “there is no material risk of more extensive harm occurring.”
But the government’s privacy agency dissented to this.
“This Commission does not agree; the risk of serious harm to Filipino data subjects is more than palpable. The conditions for individual notification are present,” it stressed.
“Data breach notifications for data subjects are for their benefit; we must provide as much information as possible to assist the affected data subjects to brace for its impact,” the Commission added.
In effect, affected users would become more likely targets to cyber attacks.
“As Facebook itself notes, the main potential impact for affected users will be an increased likelihood of getting targeted for professional ‘spam’ operations and ‘phishing’ attacks,” Commissioner Raymund Liboro said in the compliance order.
He also said Facebook should consider the fact that a lot of Filipinos are unaware of how harmful these are, even though the risk and vulnerability of Filipinos are one of the highest in the world.
Needless to say, the level of awareness in the Philippines of such risks are not the same as that of developed countries, the NPC noted. Thus, considerations should be made, Liboro said, to take into account the “cultural milieu in which the risk is appreciated.”
“The Commission therefore deems it necessary that Facebook contemplate this cultural gap when notifying the affected data subjects. Facebook should modify its approach and provide a more conducive method that enables affected Filipino data subjects to better grasp the risks they face,” Liboro added.
It remains to be seen, however, if the data breach would prompt NPC to file any charges against the popular social networking company. /cbb/kga
