September 19, 2018 | 2:00 PM UTC Last Edit: October 12, 2018
RELEASE 01 – September 19, 2018
1. News of a possible data breach of ABS-CBN’s online stores has reached the National Privacy Commission this morning, where customers reportedly face the possibility of theft of their financial data due to a payment skimmer which has been discovered by a Dutch security researcher.
2. At 12:37 PM, the Commission has received a breach notification from the company’s Data Protection Officer (DPO), Jay C. Gomez. At around the same time, the company has also publicly disclosed the incident on Twitter.
3. We expect ABS-CBN’s DPO to act in accordance with breach management standards set forth by the Commission, and fully set in motion its breach response protocols, including the safeguarding of their systems and the prevention of possible harms to affected data subjects.
4. The National Privacy Commission is monitoring the situation and expect ABS-CBN to send us a full report on the incident within five days.
RELEASE 02 – October 12, 2018
5. The National Privacy Commission received ABS-CBN’s full report of the data breach on September 24, at 7:51 PM. This is within the 5-day deadline required for its submission, as mandated in NPC Circular 16-03.
6. The report shows that ABS-CBN learned of the breach incident at 8:18 AM of September 19, through a ZDNet online article published nine hours earlier. About 25 minutes later, the company reported the incident to its Managed Security Service Provider (MSSP) to assist in the investigation and containment efforts.
7. The MSSP found a “malicious java script” from the ABS-CBN online store, which prompted management to instruct its third-party vendor to take the website down. The compromised site was taken down on September 19, at 9:28 AM.
8. The malicious code or backdoor program captures a customer’s payment card information while an online purchase transaction is in progress. Thus, the attacker was able to illegally obtain in real-time, the personal data of affected customers, including their name, credit card number, its expiration date, as well as the card verification number. Other data collected were the data subject’s email address, phone number, and residential address.
9. The attacker uploaded the malicious code on August 16 and it remained active until the site was taken down. The credit card data of those who transacted with the site from August 16 until September 18 were presumed to be compromised.
10. The online store has forty-four thousand registered users. During the period when the site was compromised, there were a total of 208 validated purchase transactions from unique customers. The company said, within 72 hours upon discovery of the breach, it was able to inform 202 affected data subjects through email and/or cell phone message. There were 6 customers, however, who either did not provide a contact number or has an invalid email address, which they would have to reach via postage mail.
11. Affected data subjects were advised by ABS-CBN to immediately inform their bank and credit card provider and change their password. They were also warned not to give any personal or financial information to anyone who may claim to be a company representative
12. Users of the UAAP Online Store were not affected. Management took it down only as a precautionary measure since it points to the same payment gateway and uses the same provider platform as the compromised site.
13. Oddly, the MSSP also found suspicious logins from one of the administrator accounts of the third-party vendor, which the concerned administrator acknowledged to be not his.
14. ABS-CBN then required its third-party vendor to reset all passwords and use two-factor authentication.
15. Upon examining the breach report submitted by ABS-CBN, the NPC investigation team summoned DPO Gomez for clarification on September 27.
16. Citing the MSSP’s report, Gomez said the incident is likely a coordinated attack and part of the massive card skimming campaign of cyber-criminal and threat group Magecart.
17. We note that had ABS-CBN insisted its third-party developer to use multi-factor authentication earlier, the site would not have been compromised.
18. The National Privacy Commission treats every instance of data breach with grave concern as it potentially puts at risk people’s data privacy.
19. In this regard, we strongly advise Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to monitor their systems regularly, and have security checks in place, including the full implementation of at least two-factor authentication.
20. The National Privacy Commission’s investigation of the breach incident is still on-going and we appreciate the continued cooperation of ABS-CBN management.
# # #