The Filipinos are not unfamiliar with their personal data being made freely and publicly available on the internet, and we have the Commission on Elections to thank for that (remember COMELEAKS?). What can you do when the one who is held responsible has gone into hiding with extraditing is not a priority?
Filipinos’ data were also compromised, this time by Facebook, with their Cambridge Analytica partnership. Does anybody know if someone was sanctioned on this scandal? Did Filipino Facebook users get compensated or something? This happened in 2013 and our RA 10173: Data Privacy Act was approved in 2012, but the implementing rules and regulations were only done in 2016 — to my lawyer friends, is this covered by RA10173?
Anyway, this time, Facebook messed up again. A 2019 security breach allowed hackers to collect 533 million Facebook user accounts, of which around 880,000 belong to Filipinos. This data has been made available as of April 4, 2021, for everyone to download… for free! The data contains full name, declared gender, mobile phone number, at the very least — with others having their email address, birth date, employment details, and more. This, for sure, falls within the purview of RA 10173.
I was able to query the data and found the Facebook accounts of family, colleagues, friends, and acquaintances. I was able to verify this when I checked their mobile phone numbers in my address book or by asking them (them knowing that they did not give their numbers to me) if their numbers are valid.
There is no easy way to find if your Facebook account is part of the huge data dump, but if your email address is part of it, checking it on haveibeenpwned.com (HIBP) is the best way to check. Unfortunately, if your email address is not part of the data dump, HIBP won’t be able to help you. Just some note, of the 533 million accounts, less than 3 million have email addresses.
If the mobile number you used on Facebook is a publicly available number, i.e., published on your public website or company website, then there is not much to worry. However, if you kept that mobile number available to only a select few, then this is a huge concern. More so, if the mobile number is used for two-factor authentication (2FA) and mobile banking. To add to the complexity, if the mobile number is a postpaid number, then replacing it won’t be that easy. Unfortunately, once the data is out there, there is no way to get it back. (Facebook is not even sorry that this happened, stating that it is an old, 2019, breach anyway).
As of writing, the National Privacy Commission (NPC) has started investigations. One thing is evident — those I have contacted to verify if the data belongs to them were not informed by Facebook in 2019! If I remember correctly, the law specified the number of days that users need to be informed that their data has been compromised, which clearly Facebook violated. Let’s see how NPC will handle this case (will they just slap Facebook’s hand and call it a day, another breach, ho-hum?). If your data is part of the data dump, then file a complaint at NPC to pressure them to take care of you. I jested that if the NPC will penalize Facebook with US$50/account, of which $40 goes to the data owner and US$10 goes to the government, that should give the government USD8.8M, which can buy a lot of vaccines for Filipinos!