ABS-CBN could have prevented data breach in online shop — privacy agency | Inquirer Business

ABS-CBN could have prevented data breach in online shop — privacy agency

/ 05:59 PM October 12, 2018

Media giant ABS-CBN Corp. could have prevented its online store from being compromised last month if necessary steps were made. And now, the credit card data of some users were presumed to be endangered.

This is according to the head of the National Privacy Commission (NPC) in a statement on Friday, stopping short of calling the incident a result of the company’s negligence. 

Privacy Commissioner Raymund Liboro said that a “malicious java script” from the ABS-CBN online store captured credit card information while an online purchase is ongoing. 

Article continues after this advertisement

This is based on a report from ABS-CBN, which NPC required last month in light of the data breach that likely exposed the sensitive information of more than 200 users. NPC consequently looked into the report. 

FEATURED STORIES

The breach has been happening for weeks already before the company found out and acted on it. According to NPC, the attacker uploaded the malicious code on August 16 and remained active until the site was taken down sometime last month.

“The credit card data of those who transacted with the site from August 16 until September 18 were presumed to be compromised,” he said. 

Article continues after this advertisement

“We note that had ABS-CBN insisted its third-party developer to use multi-factor authentication earlier, the site would not have been compromised,” Liboro said. 

Article continues after this advertisement

NPC could not say for sure if the data of these users had indeed been breached. The agency, however, assumed the number of users impacted by looking at the number of transactions during the time the site was compromised. 

Article continues after this advertisement

The agency said there were 208 validated purchase transactions then. This is slightly lower than the number released by ABS-CBN last month, which pegged the figure at 213 customers. 

He noted that the attacker was able to illegally obtain in real-time the personal data of affected customers, including their name, credit card number and  its expiration date, as well as the card verification number.

Article continues after this advertisement

He also said that other data such as email address, phone number, and residential address might have likewise been collected.

The incident was likely a coordinated attack and part of the massive card skimming campaign of cyber-criminal and threat group Magecart, Liboro said after meeting with ABS-CBN’s Data Protection Officer Jay Gomez. 

The UAAP Online Store, which was also taken down, was not affected. He said it was taken down since the store uses the same “payment gateway” and “provider platform” as the compromised site.

“Oddly, the MSSP also found suspicious logins from one of the administrator accounts of the third-party vendor, which the concerned administrator acknowledged to be not his,” Liboro said without expounding. 

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

Liboro did not say the possible consequences — if any — that ABS- CBN has to face. He said the investigation is still ongoing. /kga

TAGS: ABS-CBN, Business, business news, data breach, Internet, local news, National Privacy Commission, News, Online, Online store, Philippine news updates

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.