ABS-CBN could have prevented data breach in online shop — privacy agency

Media giant ABS-CBN Corp. could have prevented its online store from being compromised last month if necessary steps were made. And now, the credit card data of some users were presumed to be endangered.

This is according to the head of the National Privacy Commission (NPC) in a statement on Friday, stopping short of calling the incident a result of the company’s negligence. 

Privacy Commissioner Raymund Liboro said that a “malicious java script” from the ABS-CBN online store captured credit card information while an online purchase is ongoing. 

This is based on a report from ABS-CBN, which NPC required last month in light of the data breach that likely exposed the sensitive information of more than 200 users. NPC consequently looked into the report. 

The breach has been happening for weeks already before the company found out and acted on it. According to NPC, the attacker uploaded the malicious code on August 16 and remained active until the site was taken down sometime last month.

“The credit card data of those who transacted with the site from August 16 until September 18 were presumed to be compromised,” he said. 

“We note that had ABS-CBN insisted its third-party developer to use multi-factor authentication earlier, the site would not have been compromised,” Liboro said. 

NPC could not say for sure if the data of these users had indeed been breached. The agency, however, assumed the number of users impacted by looking at the number of transactions during the time the site was compromised. 

The agency said there were 208 validated purchase transactions then. This is slightly lower than the number released by ABS-CBN last month, which pegged the figure at 213 customers. 

He noted that the attacker was able to illegally obtain in real-time the personal data of affected customers, including their name, credit card number and  its expiration date, as well as the card verification number.

He also said that other data such as email address, phone number, and residential address might have likewise been collected.

The incident was likely a coordinated attack and part of the massive card skimming campaign of cyber-criminal and threat group Magecart, Liboro said after meeting with ABS-CBN’s Data Protection Officer Jay Gomez. 

The UAAP Online Store, which was also taken down, was not affected. He said it was taken down since the store uses the same “payment gateway” and “provider platform” as the compromised site.

“Oddly, the MSSP also found suspicious logins from one of the administrator accounts of the third-party vendor, which the concerned administrator acknowledged to be not his,” Liboro said without expounding. 

Liboro did not say the possible consequences — if any — that ABS- CBN has to face. He said the investigation is still ongoing. /kga

Read more...