NPC seeks Facebook report, insurance over data breach
The National Privacy Commission (NPC) has ordered Facebook to submit a data breach notification report and provide identity theft and phishing insurance to the 755,973 affected users of the social networking site based in the Philippines.
In an order dated Oct.17, NPC said it is directing Facebook to submit a more comprehensive data breach notification report on the incident, as well as notify the affected data subjects in line with rules under NPC Circular 16-03.
NPC also ordered Facebook to provide identity theft and phishing insurance for affected Philippine-based data subjects, or as an alternative, set up a dedicated help desk or help center for affected individuals on privacy related matters concerning Facebook.
“Due to the nature and exposure of the Filipino data subjects, Facebook must also provide for identity theft insurance or credit monitoring service for free to affected Filipino data subjects; or, in the alternative, establish a dedicated help desk/help center for Filipino data subjects who may be adversely affected by this incident, to provide assistance in identity restoration and other related matters,” NPC said.
The help desk, to be located in the country, must be in place within six months from the receipt of the order.
In addition, Facebook is directed to implement a program to raise the awareness on identity theft and phishing of Filipino data subjects.
NPC issued the order as 755,973 Philippine-based users were affected in the use of the “View As” feature of the social networking site to extract information without consent.
Facebook believes the attack may have taken place during the unexpected increase in traffic on the use of the “View As” feature of the social networking site late last month.
Last Sept. 28, NPC received informal notice from Facebook on the vulnerability found in the social networking site.
Facebook has categorized the affected users into three distinct groups, or “buckets” based on the personal information the perpetrator may have accessed.
The first bucket which involves an estimated 387,322 Philippine-based user accounts are those whose basic profile information such as the registered full name, email address and phone number, may have been compromised.
For the second bucket which covers 361,227 Philippine-based user accounts, the perpetrator may have also obtained the information in addition to basic profile such as username, name on the profile, email address, phone, gender, relationship status, religion, hometown, location, birthday, devices, educational background, work history, website, verified status information, recent places where the user has checked in, recent search queries, and up to the top 500 accounts followed.
As for the third bucket which involves 7,424 Philippine-based users, the perpetrator may have obtained further information including posts on their timeline, list of friends, groups they are part of, and the names of recent Messenger conversations.
While Facebook has said in its letter there is no material risk of more extensive harm occurring, NPC holds a different view.
“The conditions for individual notification are present. As Facebook itself notes, the main potential impact for affected users will be an increased likelihood of getting targeted for professional ‘spam’ operations and ‘phishing’ attacks. However, the risk and vulnerability of Filipinos to spam and phishing are regarded as one of the highest in the world,” NPC said.
Based on a report from Kasperky Lab, approximately nine out of 10 Filipinos are susceptible to phishing attacks.
As the level of awareness for spam, phishing and identity theft in the Philippines is not the same as in the US and the other developed nations, the NPC deems it necessary that Facebook consider the cultural gap when notifying the affected data subjects.