The National Privacy Commission asked social media platform Facebook to provide identity theft and phishing insurance and establish a dedicated helpdesk for 750,000 Filipino users who were affected by data breach last month.
The agency said in an e-mail to Facebook the incident might have compromised the privacy of more than 700,000 Facebook users in the Philippines. It gave the social media company six months to address the situation.
NPC commissioner Raymund Liboro said the agency also asked Facebook to submit a more comprehensive data breach notification report, notify all affected Filipino users and implement a program in the Philippines to increase awareness on identity theft and phishing.
Facebook discovered the breach on Sept. 25 when an unexpected traffic was noticed on the site allegedly due to a feature called “View As”.
Facebook said it was able to fix the glitch three days later.
Affected were personal data of users like username; first, last and nickname used on the profile; email address; phone numbers; address; hometown and location; birthday and relationships; websites browsed through Facebook and search data; work history and educational background, among others.
Facebook informed the National Privacy Commission on Oct. 13 that of the 30 million people with stolen access tokens, a total of 755,973 Philippine-based Facebook user accounts might have been compromised that forced Facebook to log out users from their accounts on Sept. 28.
“From the tenor of the document, we now understand that the breach exposed the personal information of persons with accounts that fall under any of the three buckets, to different degrees. Be that as it may, Facebook contends in its letter dated 13 October 2018 that there is no material risk of more extensive harm occurring. This commission does not agree; the risk of serious harm to Filipino data subjects is more than palpable,” Liboro said.
He said the main potential impact for affected users would be an increased likelihood of getting targeted for professional “spam” operations and “phishing” attacks, according Facebook.
“However, the risk and vulnerability of Filipinos to spam and phishing are regarded as one of the highest in the world. According to the Are You Cyber Savvy Report from Kaspersky Lab, approximately 9 out of 10 Filipinos are susceptible to phishing attacks,” he said.
Liboro said as the level of awareness for spam, phishing and identity theft in the Philippines was not the same as those of the United States and the other developed nations, considerations of risk should always consider the cultural milieu in which the risk was appreciated.
The commission said the identity verification systems throughout the Philippines were quite weak.
It said Facebook should contemplate this cultural gap when notifying the affected data subjects.
Facebook should also modify its approach and provide a more conducive method that enables affected Filipino data subjects to better grasp the risks they face, it said.