The National Privacy Commission (NPC) has ordered Facebook to conduct remedial and notification measures after learning that more than 700,000 local users of the social media site were affected during a recent data leak.
In an order dated October 18, the NPC directed Facebook, which has a local office, to implement identity theft insurance or credit monitoring service for free to affected Filipino data subjects or establish a dedicated helpdesk for Filipino data subjects who may have been affected to provide assistance in identity restoration and other related matters.
The hacking incident appeared to have occurred on September 25 when Facebook discovered that there was an unexpected increase in traffic on the use of the “View As” feature. It is believed that this was introduced into Facebook’s code on July 12, 2017. However, Facebook said the attack may have only commenced on September 14, 2018, the date when the spike in traffic commenced.
Three days after it was discovered by Facebook, the vulnerability was then allegedly fixed and the social media notified all its users via an in-app update message supposedly on the same date.
Facebook informed the NPC that of the 30 million people with stolen access tokens, they now believe that a total of 755,973 Philippine-based Facebook user accounts may have been compromised that forced Facebook to log out users from their accounts last September 28.
Facebook categorized the affected users into three distinct groups, or “buckets” based on the personal information the perpetrator may have accessed.
The first bucket involves an estimated 387,322 Philippine-based user accounts whose basic profile information may have been compromised. Basic profile information consists of a user’s registered full name, email address, and phone number.
The second bucket affects around 361,227 Philippine-based user accounts. In addition to the basic profile information potentially obtained as with the first group of users, the perpetrator may have also obtained:
a. Username,
b. First name used on the profile,
c. Last name used on the profile,
d. Name (nickname as set by the user on the profile (if any)),
e. Email address (primary email address associated with the account),
f. Phone (confirmed mobile phone numbers associated with account),
g. Gender (as set by the user on the profile),
h. Locale (language as picked by the user),
i. Relationship status (as set by the user on the profile),
j. Religion (as described by the user on the profile),
k. Hometown (as set by the user on the profile),
l. Location (current city, as set by the user on the profile), m. Birthday (as set by the user on the profile),
n. Devices (that are used by the user to access Facebook – fields include ‘os’ (e.g., iOS) and hardware (e.g., iPhone),
o. Educational background (as set by the user on the profile),
p. Work history (as set by the user on the profile),
q. Website (list of URLs entered by the user into the website field on the profile),
r. Verified status information (this is a flag for whether Facebook has a strong indication that the user is who they say they are),
s. List of most recent places where the user has checked in (these locations are determined by the places named in the posts, such as a landmark or restaurant, not location data from a device),
t. Recent search queries on Facebook, and
u. Up to the top 500 accounts that the user follows.
The third bucket involves 7,424 Philippine-based users. In addition to the data potentially obtained in relation to the first two groups of users, further information that may have been exposed include the posts on their timeline, their list of friends, groups they are members of, and the names of recent Messenger conversations.
?From the tenor of the document, we now understand that the breach exposed the personal information of persons with accounts that fall under any of the three buckets, to different degrees,? the NPC noted.
The NPC said it does not agree with the Facebook’s assertion that “no material risk of more extensive harm occurring. In fact, the agency said “the risk of serious harm to Filipino data subjects is more than palpable.”
?The conditions for individual notification are present. As Facebook itself notes, the main potential impact for affected users will be an increased likelihood of getting targeted for professional ?spam? operations and ?phishing? attacks,? it pointed out.
The agency also noted that ?the risk and vulnerability of Filipinos to spam and phishing are regarded as one of the highest in the world.?
?The level of awareness for spam, phishing and identity theft in the Philippines is not the same as those of the United States and the other developed nations; considerations of risk must always consider the cultural milieu in which the risk is appreciated. For instance, this Commission takes notice that identity verification systems throughout the Philippines are quite weak,? it said.
?The Commission therefore deems it necessary that Facebook contemplate this cultural gap when notifying the affected data subjects. Facebook should modify its approach and provide a more conducive method that enables affected Filipino data subjects to better grasp the risks they face.?
The NPC thus mandated Facebook to submit a more comprehensive Data Breach Notification Report and inform those affected by the hack to be given the appropriate notifications.
