THE National Privacy Commission (NPC) ordered Facebook on Thursday, October 18, to submit a comprehensive Data Breach Notification Report and notify its Philippine-based users who were possibly affected by the security breach that happened in September.
Under NPC Circular 16-03, the commission also directed the social media giant to provide identity theft and phishing insurance and to establish a dedicated help desk in the Philippines within six months upon the receipt of the order.
The directive came after Facebook discovered in September an increase in the number of users of its “View As” feature, prompting the company to investigate it. Facebook then discovered that about 30 million accounts (not 50 million as earlier reported) have been compromised.
READ: Facebook says 50M user accounts affected by security breach
Of the 30 million people, 755,973 users are in the Philippines.
Facebook said that of the over 700,000 affected Philippine-based users, hackers were able to access basic information from 387,322 accounts and got other details, such as their history, birth date, location, devices and hardware, verified status information, and list of places the users checked into, from 361,227 accounts.
For the remaining 7,424 users, the exposed information may include the users' recent posts, list of friend, and chat information.
READ: How to check what Facebook hackers accessed in your account
But Facebook said "there is no material risk of more extensive harm occurring" in which the NPC disagreed on.
"The risk of serious harm to Filipino data subjects is more than palpable. The conditions for individual notification are present," the commission said.
The NPC said the officials of Facebook have committed to abide by the Philippine data privacy laws.
Facebook said earlier that third-party apps that use a Facebook login and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
It said the FBI is investigating, but asked the company not to discuss who may be behind the attack. The company said it has not ruled out the possibility of smaller-scale attacks that used the same vulnerability.
Facebook has said the attackers gained the ability to "seize control" of those user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs in Facebook's code.
The hackers began with a set of accounts they controlled, then used an automated process to access the digital keys for accounts that were "friends" with the accounts they had already compromised. That expanded to "friends of friends," extending their access to about 400,000 accounts, and went on from there to reach 30 million accounts. There is no evidence that the hackers made any posts or took any other activity using the hacked accounts.
The company said it has fixed the bugs and logged out affected users to reset those digital keys. (With AP/SunStar Philippines)