Privacy breaches

The big word these days on social media is privacy. Netizens, after having had their fill of posting, sharing, and liking of family events, personal views, and reflections on a myriad of topics, are coming face to face with the perils of being “overexposed.”

It’s not sure yet just how far-reaching and damaging these reported breaches of one’s privacy will be, but the very thought that this is not just confined to Facebook, but even to legitimate businesses that handle sensitive personal data, is enough to make one’s anxiety levels rise.

Facebook, the host of the world’s biggest social media site, had announced last month that over 29 million of its user accounts had been hacked, exposing phone numbers and email addresses.

Worse, 14 million of those users had their additional biographical data (self-reported current city, education, work, people they follow, the last 10 places they were tagged in, and the last 15 searches) revealed to hackers.

But this is old news. The latest exposé involves airline Cathay Pacific, which late last month revealed that data of 9.4 million of its passengers, including approximately 100,000 Filipinos, were illegally accessed by yet unknown hackers.

Although Cathay Pacific has assured customers that there has been no evidence of stolen personal information misused since March when the airline first noticed the security breach, some 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers, and 27 credit card numbers with no card verification value (CVV) had been accessed without permission.

Proving culpability

These latest incidents have prodded appropriate government agencies in affected countries and regions tasked to oversee data protection to launch investigations on the culpability of the companies involved. The work, however, is going to be tough.

It will be difficult, for example, to pinpoint negligence on the part of victimized companies. We all know that cyber criminals always are on the offensive, studying ways on how to trespass even the tightest security precautions.

Unless there had been an explicit intent by company officials to ignore warnings of potential security breaches, a revelation of the weakest link in the frontline is usually learned only after an attack – and usually, a successful one – has occurred.

Putting a finger on the value of damages is also going to be hard work. Like in Cathay Pacific’s case, it has to be proven that the leaked personal data would have been related to an act of crime, like stolen credit cards being used to make unauthorized purchases.

Balancing regulation

The European Union’s General Data Protection Regulation (GDPR) is touted to be one of the toughest data security regulators in existence today. Yet, it is also being criticized as overly stern – to the point that enforcing its laws to the letter would be impractical.

In the case of Facebook, where reportedly three million Europeans were affected, the GDPR stipulates that companies handling the personal data of Europeans must adhere to strict requirements for holding and securing that information, and must report breaches to authorities within 72 hours.

Not to adhere to this regulation would expose companies found in violation to fines of up to four percent of their annual global revenue. Facebook made more than $40.65 billion in revenues last year, and a fine could mean at most $1.63 billion.

To enforce this regulation would likely force Facebook to move out of Europe, something that would not be popular with social network users, especially since the exposed privacy breaches may not matter much to those affected.

Personal safety

While Facebook seems to be diligently watching out for possible attacks on its users’ personal information and data security, a number of netizen advisories have been circulating to stem any attacks that could pose as risks to users.

The following is from the Bank of the Philippine Islands, whose concern is about social media users exposing too much information, which cyber criminals could use to gain access to bank accounts, emails, or credit card information.

Posting geo-tagged photos that indicate the place of residence and work, snapshots of identification cards, boarding passes for vacations, and sharing details of one’s lifestyle makes social media users more attractive to hackers.

For example, barcodes found on boarding passes reveal a lot of private information that anyone can access with basic barcode reading software, which is usually available free on most mobile phones. Barcodes can include your full name, arrival and departure airports, the airline you’re flying with, the flight record number, and your frequent flyer number.

According to BPI, once someone has access to your account, they will be able to do anything from cancelling flight to changing personal information related to the account.

Social media users are warned against downloading digital information and files while oblivious to viruses, spam or phishing attacks, or performing banking transactions online, or through their smartphones without much regard for possible security breach.

To protect online privacy and strengthen cyber security, BPI advises social media users to remove or omit as much personal and sensitive information as they can from social networking sites. Securing one’s mobile phone, both physically and digitally, is also a must as it carries sensitive information—contact lists, location and browsing history, among others.

To further fortify one’s online defenses, the bank recommends using difficult and different passwords across multiple platforms and services—including online or mobile banking apps, and to stop using public or open Wi-Fi, which can easily be raided by hackers to steal or download personal files.

Facebook and Twitter

We are actively using two social networking websites to reach out more often and even interact with and engage our readers, friends and colleagues in the various areas of interest that I tackle in my column.

Please like us on www.facebook.com/ReyGamboa and follow us on www.twitter.com/ReyGamboa.

Should you wish to share any insights, write me at Link Edge, 25th Floor, 139 Corporate Center, Valero Street, Salcedo Village, 1227 Makati City. Or e-mail me at [email protected]. For a compilation of previous articles, visit www.BizlinksPhilippines.net.