A lawmaker on Tuesday took the government to task for allowing contact tracing for COVID-19 to be done using multiple apps and databases, a practice that could be behind data breaches that flooded mobile phone users with spam text messages that incorporated their names.
Albay Rep. Joey Sarte Salceda, chairman of the House committee on ways and means, expressed dismay over the “carelessness” of the Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF) to require contact tracing under multiple apps and databases, instead of using just one application with a single protecting data controller.
Salceda said contact tracing databases by different establishments may have been the source of personal information by text spam recently received by mobile phone users.
“The IATF did not push hard enough and enforce a single contact tracing app with a single database. That means you had different data collectors, some of whom may not have been able to protect the data. I don’t want to ascribe malice, but some of them may have even sold it,” Salceda said.
“All of these potential data breaches could have been limited by having just one single controller and clearinghouse of data that is also protected and audited,” he added.
Salceda asked that the National Telecommunications Commission work with the telecommunications companies to detect and prevent “a mass of successive text messages in suspicious volumes.” “That way, we can prevent mass or span messaging.”
Salceda also asked the National Privacy Commission (NPC) to find the source of the data breach.
Under the Data Privacy Act of 2012, Salceda said, the data controller “shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.”
“The data controllers seem to have been incapable of protecting all the data. And there were plenty of room for breaches because there were so many data controllers, by virtue of having multiple contact tracing apps,” Salceda said.
“IATF and DOH required contact tracing in March 2020, but privacy guidelines were only issued in June 2020. So you had three months where it was a “wild west” for data privacy. There was no sheriff in town for three months at least. That’s the only big data source I can identify,” he said.
“Because of how banking is now so interconnected with mobile [phones], we should treat mobile numbers with the same care as we treat banking. There’s money for thieves to steal in data breaches,” Salceda said.
Meanwhile, Rep. Wilbert Lee of the Agri party-list group sought a congressional investigation into the rampant text spam and phishing messages to protect consumers’ rights to privacy and security, and prevent these scammers from causing more harm.
In House Resolution 334, Lee cited the need for Congress to determine the effectiveness of the government’s intervention carried out by the Department of Information and Communications Technology (DICT), the NTC, the National Privacy Commission (NPC) and other government agencies against the continuing surge of scam text messages.
“It is the duty of the government to ensure that the consumers’ right to privacy is protected and that they are not victimized by fraudulent activities facilitated through spam and phishing messages,” the lawmaker said.
The Senate, too, moved to investigate the rampant text scams, with Senator Ronald dela Rosa calling for a probe.
In a statement on Tuesday, Globe Telecom Inc. (Globe) chief information security officer Anton Bonifacio said the company is “working closely” with the NTC and NPC to crack down against cybercriminals and protect data privacy.
To date, he said Globe has spent roughly P1.1 billion in capital expenditures to boost its capabilities in detecting and blocking scam and spam messages of both international and local origin.
“Globe also maintains a 24/7 security operations center, with over 100 people working tirelessly to detect attacks, breaches, and spam and text messages,” he said.
From January to July, Globe blocked a total of 784 million scam and spam messages, deactivated 14,058 scam-linked SIM cards, and blacklisted 8,973 SIM cards—in addition to 610 blocked domains or URLs.
On the other hand, PLDT – Smart chief information security officer Angel Redoble assured its users that there is no evidence to suggest a breach in its network, with spam and scam messages received by their users mostly sent through individual SIM cards.
“Upon scrutiny of these spam messages, we have observed that the format of the names mimics the naming conventions used in popular digital services,” Redoble said.
Leah Jimenez, PLDT-Smart’s chief data privacy officer, said the companies continue to work with the NPC, the NTC, and law enforcement agencies to help track down cybercriminals responsible for these illegal activities.
“At this early stage, and pending completion of investigations, we believe it prudent to hold off on any conclusion. Our focus should be on identifying the source of these scam messages,” Jimenez said.
In 2021, PLDT-Smart nvested nearly P3 billion to fortify its cybersecurity infrastructure to safeguard against emerging threats and vulnerabilities in telecommunications and cyberspace, Redoble said.
Earlier, the NTC ordered telcos to send warnings to the public against scam text messages that contain the names of their receivers.
Text scams have been on the rise since the height of the COVID-19 pandemic, with the latest fraudulent messages containing the names of their receivers and offering fake jobs, promises of a monetary prize, or similar money scams that lull users into giving sensitive information.
Such information can then be used by cybercriminals to log in to a person’s bank account, digital wallet, or social media account — resulting in both monetary and data privacy losses.