ABS-CBN hack exposed card info during purchase transactions

An investigation by broadcast giant ABS-CBN has revealed that a hacking incident on its website last September 19 exposed the card information of its users during their purchase transactions.

This is according to the National Privacy Commission (NPC), which received ABS-CBN’s full report of the data breach on September 24. This is within the five-day deadline required for its submission.

The report showed that ABS-CBN learned of the breach incident at 8:18 AM of September 19, through a ZDNet online article published nine hours earlier. About 25 minutes later, the company reported the incident to its Managed Security Service Provider (MSSP) to assist in the investigation and containment efforts.

The MSSP found a “malicious java script” from the ABS-CBN online store, which prompted the management to instruct its third-party vendor to take the website down. The compromised site was taken down on September 19, at 9:28 AM.

The malicious code or backdoor program captures a customer’s payment card information while an online purchase transaction is in progress. Thus, the attacker was able to illegally obtain in real-time, the personal data of affected customers, including their name, credit card number, its expiration date, as well as the card verification number. Other data collected were the data subject’s email address, phone number, and residential address.

The attacker uploaded the malicious code on August 16 and it remained active until the site was taken down. The credit card data of those who transacted with the site from August 16 until September 18 were presumed to be compromised.

The online store has 42,000 registered users. During the period when the site was compromised, there were a total of 208 validated purchase transactions from unique customers.

The company said that within 72 hours upon discovery of the breach, it was able to inform 202 affected data subjects through email and/or cell phone message. There were six customers, however, who either did not provide a contact number or has an invalid email address, which they would have to reach via postage mail.

The affected data subjects were advised by ABS-CBN to immediately inform their bank and credit card provider and change their password. They were also warned not to give any personal or financial information to anyone who may claim to be a company representative

Users of the UAAP Online Store were not affected. Management took it down only as a precautionary measure since it points to the same payment gateway and uses the same provider platform as the compromised site.

Oddly, the MSSP also found suspicious logins from one of the administrator accounts of the third-party vendor, which the concerned administrator acknowledged to be not his.

ABS-CBN then required its third-party vendor to reset all passwords and use two-factor authentication.

Upon examining the breach report submitted by ABS-CBN, the NPC investigation team summoned the company’s Data Protection Officer (DPO), Jay C. Gomez, for clarification on September 27. Citing the MSSP’s report, Gomez said the incident was likely a coordinated attack and part of the massive card skimming campaign of cyber-criminal and threat group Magecart.

“We note that had ABS-CBN insisted its third-party developer to use multi-factor authentication earlier, the site would not have been compromised,” NPC Raymund Liboro said in a statement.

“The NPC treats every instance of data breach with grave concern as it potentially puts at risk people’s data privacy. In this regard, we strongly advise Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to monitor their systems regularly, and have security checks in place, including the full implementation of at least two-factor authentication,” Liboro added.

The NPC said its investigation of the breach incident is still on-going and cited the continued cooperation of ABS-CBN management.

Comment on this post