MANILA -- The National Privacy Commission (NPC) has ordered Facebook to provide notifications to more than 700,000 Filipino users, whose personal information were affected by a data breach last September.
In its order Thursday, the privacy watchdog said the social media firm must provide identity theft insurance for affected Filipino data subjects or establish a local-based help desk on privacy-related matters and implement a program to increase awareness on identity theft and phishing.
“Facebook is hereby mandated to submit a more comprehensive Data Breach Notification Report and inform the data subjects in compliance with the provisions of NPC Circular No. 16-03 – Personal Data Breach Management,” NPC Commissioner Raymund Liboro said.
“Due to the nature and exposure of the Filipino data subjects, Facebook must also provide for identity theft insurance or credit monitoring service for free to affected Filipino data subjects; or, in the alternative, establish a dedicated help desk/help center for Filipino data subjects who may be adversely affected by this incident, to provide assistance in identity restoration and other related matters,” he added.
Facebook has disclosed to the NPC last Oct. 13 that a total of 775,973 Philippine-based accounts were compromised due to a data breach last Sept. 28 that was attributed to vulnerabilities in its “View As" feature, which allows people to see what their own profile looks like to other users.
The social networking site categorized the affected users into three buckets or groups, depending on the information accessed.
The first bucket involved around 387,322 Philippine-based user accounts whose basic profile information such as registered full names, email addresses, and phone numbers were illegally accessed.
The second bucket affected around 361,227 Philippine-based user accounts wherein information such as locations, birthdays, relationship statuses, among others, were compromised on top of their basic profile information.
The third bucket involves 7,424 Philippine-based users, whose posts on their timelines, their list of friends, groups they are members of, and the names of recent Messenger conversations were exposed, in addition to data that were obtained in relation to the first two groups of users.
The NPC has disagreed with the stance of Facebook that it is not obligated to provide notifications to individuals that were affected by the data breach.
“Facebook contends that there is no material risk of more extensive harm occurring. This Commission does not agree; the risk of serious harm to Filipino data subjects is more than palpable. The conditions for individual notifications are present,” Liboro said.
“The potential deleterious effects of a breach should not be diluted in the notification to the data subjects. Data breach notifications for data subjects are for their benefit; we must provide as much information as possible to assist the affected data subjects to brace for its impact,” he added.
Liboro stressed that Filipinos must be aware of the potential risks of being targeted for professional "spam" operations and "phishing" attacks.
He noted that there is a low level of awareness for spam, phishing and identity theft in the country compared to the United States and other developed countries as identity verification systems have been weak.
“The increase in risk for phishing and/or identity theft is self-evident for those persons who were exposed through the unauthorized use of the access tokens. The Commission therefore deems it necessary that Facebook contemplate this cultural gap when notifying the affected data subjects. Facebook should modify its approach and provide a more conducive method that enables affected Filipino data subjects to better grasp the risks they face,” Liboro added.
The data breach on Facebook has affected around 50 million user accounts worldwide. (PNA)
