Facebook data breach affected 755,973 users in the Philippines
On October 17, 2018, the National Privacy Commission (NPC) has ordered Facebook to action regarding recent data breach that affected millions of users around the globe, including 755,973 users in the Philippines.
On September 28, 2018, Facebook revealed that attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018 which allowed them to steal Facebook access tokens which they could use to take over people’s accounts. Facebook has then fixed the vulnerability, and on September 29, 2018, informed the Commission about the attack through an e-mail.
Facebook has posted an update on October 12, 2018, which provides details on how the attack happened.
On October 13, Facebook informed the National Privacy Commission that a total of 755,973 Philippine-based Facebook user accounts may have been compromised that forced Facebook to log out users from their accounts last September 28.
The NPC said that an estimate of 387,322 of those accounts may have their basic profile information compromised such as full name, email address, and phone number.
Perpetrators may have obtained more sensitive information from the other 361,227 accounts like location, birthday, devices used, and work history, to name a few.
Further information may have been exposed from the remaining 7,424 accounts including posts on their timeline, list of friends, groups they are members of, and the names of recent Messenger conversations.
The NPC believes that there’s the risk of serious harm to Filipino users as there will be an increased likelihood that these users will be targeted for professional “spam” operations and “phishing” attacks. The NPC also slammed Facebook’s letter dated October 13, 2018, saying that “there is no material risk of more extensive harm occurring.”
The NPC has then ordered Facebook to submit a more comprehensive Data Breach Notification Report and inform the data subjects in compliance with the provisions of NPC Circular No. 16-03 – Personal Data Breach Management.
Facebook was also ordered to provide identity theft insurance or credit monitoring service for free to affected Filipino data subjects; or, in the alternative, establish a dedicated helpdesk/help center for Filipino data subjects who may be adversely affected by this incident, to provide assistance in identity restoration and other related matters.