Facebook ordered to provide insurance or aid to 755,000 Filipinos affected by data breach

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10


Metro Manila (CNN Philippines, October 18) — The National Privacy Commission (NPC) on Thursday ordered Facebook to take necessary measures following a data breach that affected more than 700,000 Filipino users.

In particular, the NPC asked the social media giant to "provide identity theft and phishing insurance for affected Filipino data subjects, or in the alternative, establish a dedicated helpdesk/help center for Filipino data subjects on privacy related matters concerning Facebook, located in the Philippines and with a local number."

Phishing is a cybercrime where perpetrators pose as legitimate representatives of reputable organizations to make users divulge sensitive information the attackers can use for their benefit. An insurance covers the costs that would arise from identity theft.

The NPC said Facebook should comply by April next year, or within six months upon receipt of the order.

Privacy commissioner Raymund Liboro told CNN Philippines the government is taking the potential risks seriously, stressing that perpetrators will next try to make money from users' data.

"Hindi lang ito simpleng, sabi nga ng iba may nanghahack just to make a point or to make a mess, manggulo lang. Ito, to make money," Liboro said.

He warned affected users to be vigilant, citing as example how the attackers could obtain their bank details through sending a hoax e-mail seemingly from legitimate banks.


Who's at risk?

Facebook earlier notified the government that a total of 755,973 Philippine-based Facebook user accounts may have been compromised. They were part of some 30 million users worldwide who were logged out of their accounts on September 28 due to an attack that stole their access tokens or information used to log on to their profile.

This includes over 380,000 affected users in the country whose basic profile information, including registered full name, email address, and phone number have been exposed, the NPC said.

Meanwhile, the perpetrators may have obtained more sensitive information from some 360,000 user accounts, including their location, work history, list of recent places the user has checked in, and recent search queries, among others.

For the remaining 7,424 users, the NPC said "further information that may have been exposed include the posts on their timeline, their list of friends, groups they are members of, and the names of recent Messenger conversations."

More steps Facebook should take

The NPC slammed Facebook's October 13 letter that says "there is no material risk of more extensive harm occurring."

"This Commission does not agree; the risk of serious harm to Filipino data subjects is more than palpable. The conditions for individual notification are present," the NPC said.

It said the data breach made the affected users more vulnerable to professional spam operations, phishing attacks, and identity theft. The NPC admitted that the "identity verification systems throughout the Philippines are quite weak."

The NPC also ordered Facebook to submit a more comprehensive report on the data breach and inform all affected users about the possible risks they face. Liboro said Facebook's "generic announcements" are not enough.

"Data breach notifications for data subjects are for their benefit; we must provide as much information as possible to assist the affected data subjects to brace for its impact," the NPC said.

It also wants the social media company to implement a program that would increase Filipinos' awareness on identity theft and phishing.