Facebook breach affected 755,973 accounts in PH
MANILA, Philippines – Of the 29 million accounts affected worldwide by the breach that Facebook suffered in late September, 755,973 were based in the Philippines, Facebook told the National Privacy Commission (NPC).
Originally, 50 million were said to have been affected, but Facebook said after its investigation that the number affected was smaller, at 29 million. The hackers were able to gain access by exploiting several vulnerabilities, anchored by a vulnerability in the "View As" feature, which allowed them to take users' access tokens.
The company reported the details of the breach to the NPC on October 13, with the NPC releasing a report on Thursday, October 18. (READ: What to do after the massive Facebook hack)
The affected users were divided into 3 groups based on the personal information the perpetrators may have accessed.
The first group involves around 387,322 users. This group may have had their basic profile information compromised, including their registered full name, email address, and phone number if one was associated with the account.
The second group affects around 361,227 accounts. Along with basic profile information, the attackers may have also obtained the nickname, gender, language chosen by user, relationship status, religion, hometown, location, birthday, devices used with Facebook, educational background, work, website listed on profile, verified status information, list of recent location check-ins, recent search queries, and the top 500 accounts that the user follows.
The third group involves 7,424 users, whose posts, friends list, and groups they belong to may have also been exposed in addition to the information seen in the other two groups. Hackers may have also seen the names of who they have been talking to recently on Messenger.
In Facebook's report, the company said there is no risk of more harm happening to the compromised users. But the NPC does not agree.
"The risk of serious harm to Filipino data subjects is more than palpable," said the commission, as it contends that the breach increased the risk of users being exposed to spam, identity theft, and phishing operations.
Citing a report from cybersecurity company Kaspersky Labs, the NPC said Filipinos are among the most susceptible to information phishing attacks. One reason is that the level of awareness in the Philippines regarding these operations isn't yet as well-developed as in other nations like the United States.
Given this, the NPC ordered Facebook to take additional steps for the benefit of affected users.
The commission told Facebook to perform "individual notification," in which Facebook must notify each affected user, with specific information on what data were taken from them.
Facebook had notified users of the breach via a notification on the platform, but the NPC wants the social media giant to provide more concrete information to each user.
Facebook has also been ordered to provide free identity theft insurance or a credit monitoring service to affected Filipino data subjects. As an alternative to that, it may establish a dedicated help center located in the Philippines to provide assistance with identity restoration and other related matters. Facebook must comply with this within 6 months, states the NPC order dated October 17, 2018.
Facebook was also ordered to implement a program in the Philippines that would increase awareness of phishing and identity theft.
"The potential deleterious effects of a breach should not be diluted in the notification to the data subjects. Data breach notifications for data subjects are for their benefit; we must provide as much information as possible to assist the affected data subjects to brace for its impact," said the NPC.
In addition to Facebook's original report, the NPC has also ordered the social media giant to file a more comprehensive Data Breach Notification Report.
Below is the full NPC order: