1. At around 12:49 AM of September 28, we received informal notice from Facebook representatives that they had found a vulnerability in their app that was exploited by malicious attackers.

2. Facebook claims that the vulnerability affected around fifty million users, exposing personal data stored in their Facebook profiles.

3. The vulnerability was attributed to a combination of several programming errors in updates made in July 2017. As a result, malicious intruders were able to generate access tokens.

4. These access tokens allowed the intruders to log into affected FB profiles as if they were the actual profile holders. This means they had the ability to access data reserved for account holders even without having to enter the user's password.

5. As a remediation measure, FB terminated the sessions of persons it identified as having been affected and had them enter their login credentials again. This morning, the company has notified affected users of the incident. We have informed Facebook, however, that the notification it sent to individuals leaves much to be desired.

6. According to the company’s representatives, the investigation is still in its early stages. They have not determined yet how many Filipinos are affected and whether misuse of personal information had resulted from this breach.

7. The NPC has prescribed breach management procedures in place and we expect Facebook to abide by these rules.

8. The NPC shall notify the public about developments and its actions on this matter. To protect themselves, all Facebook users must enable multi-factor authentication on all platforms, employ strong passwords, and practice good digital hygiene. For more information on how to love yourself online, see https://www.privacy.gov.ph/30-ways/

Privacy Commissioner Raymund Enriquez Liboro


# # #