Connect with us


Data breaches, companies’ fault — Liboro

The NPC said the subjects of the ransomware attack at S&R were its 22,000 customers, compromising their dates of birth, contact numbers and gender.



The National Privacy Commission (NPC) has urged citizens to practice “digital hygiene” so as not to fall victims to cybercrimes like “smishing” or the sending of text messages to induce recipients to reveal personal information.

“Smishing” and its original form called “phishing” are preparatory acts to the commission of more serious crimes like identity and bank deposit thefts.

The NPC has issued the assurance that it is now coordinating with telecommunication companies and law enforcement agencies to minimize the commission of the said crimes victimizing mobile phone users.

In an interview during the Daily Tribune’s morning show Gising Na!, NCP Commissioner Raymund Liboro cautioned the public against responding to unsolicited text messages from unknown senders who may be smishing players looking for victims.

As smishing has become prevalent in the past weeks, NPC summoned the data protection officers (DPO) of Globe Telecom, Smart Communications, Dito Telecommunity, Lazada, Shopee, and several banks to report on the steps they are taking to combat the surge of text scams.

On Wednesday, PLDT and Smart Communications Inc. launched an information awareness campaign on the new methods being employed by cybercriminals.

“The recent SMS spamming activities are specific to job hiring. If mobile users open the link from any of these scam text messages, they will be redirected to the WhatsApp platform, in which they will be offered an attractive salary package, ranging from P5,000 to P10,000,” said Angel Redoble, PLDT and Smart’s Chief Information Security Officer, who likened this scheme to “digital pyramiding.”

Smishing syndicates usually mislead users who are first prompted to provide their personal information and to open an account in a platform managed by the scammer. Through this channel, interested job applicants are lured to deposit cash, from which they will allegedly receive a percentage as commission.

However, once the investments have grown big, the individual will no longer be able to withdraw his or her commission and will be notified to access the Telegram app for cash transactions for bigger amounts.

Meanwhile, in the case of S&R Membership Shopping, Liboro said the company has already instituted measures to secure their system, recover compromised data, prevent further disclosure and stop the recurrence of similar attacks.

This was after S&R confirmed to the NPC that the subjects of the ransomware attack were its 22,000 customers, their dates of birth, contact numbers, and gender.

Luckily, the credit cards and other financial information of its members were not among the compromised personal data, based on the disclosure and confirmation of S&R’s DPO.

The NPC tasked S&R to fully disclose and to notify the affected data subjects individually. Likewise, the Commission directed them to provide the technical report of the incident from the third-party cyber security firm.

Liboro warned companies of criminal liabilities over violations of the Data Protection Act if their databases are breached and their customers’ data are stolen.

“Let me underline that it is not the fault of a person to be hacked. Companies should always check if they have enough measures in place to prevent hacking and to protect the customers’ data. Our guidelines for companies are clear and if they have questions, they can always visit us or our website on how the NPC can help to step up their security measures,” Liboro stated.

Recently, the NPC said that the smishing activities in the country are run by a global crime syndicate, not by a group that has gained unauthorized access to contact tracing forms, one of the first suspicions raised by victims.

“We urge the public that if you don’t know the sender of the text message or they are not in your contact list, then you must not entertain them or immediately block the number of the sender and don’t click the link you are being told to click,” the NPC official said.

“We must remember that it is our obligation to protect ourselves and our data from those we don’t know because, in a flick of a finger, you can lose your hard-earned savings and money,” Liboro stressed.

He revealed that currently, telecommunications companies have already unplugged the fraudulent conduits or domains used by smishing perpetuators following an initial probe.

“They (telcos) have already identified almost 50 domains and its host was found in India. Also, banking institutions have already frozen two bank accounts where the money is being deposited, purportedly owned by these criminals,” Liboro disclosed.