Contact tracing apps and databases seen as sources of recent spam wave

On Tuesday, a lawmaker criticized the government for allowing contact tracing for COVID-19 using multiple apps and databases, a practice that could be behind data breaches that have inundated users spam cell phones incorporating their names.

Albay Rep. Joey Sarte Salceda, chairman of the House Ways and Means Committee, expressed dismay at the “negligence” of the Interagency Task Force for the Management of Emerging Infectious Diseases (IATF) d ‘requiring contact tracing across multiple apps and databases, instead of using a single app with a single data protection controller.

Salceda said contact tracing databases at different institutions may have been the source of personal information through text spam recently received by mobile phone users.

“The IATF has not pushed hard enough and enforced a single contact tracing app with a single database. This means that you had different data collectors, some of which may not have been able to protect the data. I don’t want to attribute malice, but some of them may have even sold it,” Salceda said.

“All of these potential data breaches could have been limited by having a single controller and data clearinghouse that was also protected and audited,” he added.

Salceda called for the National Telecommunications Commission to work with telecommunications companies to detect and prevent “a mass of successive text messages in suspicious volumes.” “This way we can prevent mass or extended messaging.”

Salceda has also asked the National Privacy Commission (NPC) to find the source of the data breach.

Under the Data Protection Act 2012, Salceda said, the controller “must promptly notify the Commission and data subjects where sensitive personal information or other information which may, in the circumstances, be used to enable impersonation are reasonably suspected to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to result in a real risk of harm serious for everyone involved.

“Data controllers appear to have been unable to protect all data. And there was a lot of room for breaches because there were so many data controllers, due to multiple contact tracing apps,” Salceda said.

“The IATF and DOH required contact tracing in March 2020, but the privacy guidelines weren’t released until June 2020. So you’ve had three months where it’s been a ‘wild west’ for the data confidentiality. There was no sheriff in town for at least three months. It’s the only big data source I can identify,” he said.

“Because of the way banking is now so interconnected with mobile [phones], we should treat mobile numbers with the same care that we treat banking services. Thieves have money to steal in data breaches,” Salceda said.

Meanwhile, Rep. Wilbert Lee of the Agri party list group has called for a congressional investigation into rampant text spam and phishing messages to protect consumers’ rights to privacy and security, and prevent these crooks to cause more harm.

In House Resolution 334, Lee cited the need for Congress to determine the effectiveness of government intervention by the Department of Information and Communications Technology (DICT), the NTC, the National Commission of Privacy (NPC) and other government agencies against the onslaught of fraudulent SMS lawsuits.

“It is the government’s duty to ensure that consumers’ right to privacy is protected and that they are not victims of fraudulent activities facilitated by spam and phishing messages,” the lawmaker said.

The Senate has also moved to investigate rampant texting scams, with Senator Ronald dela Rosa calling for an investigation.

In a statement on Tuesday, Globe Telecom Inc.’s (Globe) chief information security officer, Anton Bonifacio, said the company was “working closely” with the NTC and NPC to crack down on cybercriminals and protect data confidentiality.

To date, he said Globe had spent about 1.1 billion pesos in capital expenditure to strengthen its capabilities to detect and block scams and spam from international and local sources.

“Globe also maintains a 24/7 security operations center, with more than 100 people working around the clock to detect attacks, breaches, spam and text messages,” he said.

From January to July, Globe blocked a total of 784 million scam and spam messages, deactivated 14,058 scam-related SIM cards and blacklisted 8,973 SIM cards, in addition to 610 blocked domains or URLs.

On the other hand, PLDT – Smart’s Chief Information Security Officer, Angel Redoble, assured its users that there was no evidence to suggest a breach in its network, spam messages and scam received by their users being mostly sent via individual SIM cards.

“After reviewing these spam messages, we observed that the format of the names mimics naming conventions used in popular digital services,” Redoble said.

Leah Jimenez, data privacy manager of PLDT-Smart, said the companies continue to work with the NPC, NTC and law enforcement to help track down the cybercriminals responsible for these illegal activities.

“At this early stage, and pending the completion of investigations, we believe it is prudent to await any conclusion. Our goal should be to identify the source of these fraudulent messages,” Jimenez said.

In 2021, PLDT-Smart invested nearly 3 billion pesos to strengthen its cybersecurity infrastructure to protect against emerging threats and vulnerabilities in telecommunications and cyberspace, Redoble said.

Previously, the NTC had ordered telecom carriers to send warnings to the public against fraudulent text messages containing the names of their recipients.

SMS scams have been on the rise since the height of the COVID-19 pandemic, with the latest fraudulent messages containing the names of their recipients and offering fake jobs, promises of monetary prizes or similar financial scams that trick users into provide sensitive information. .

This information can then be used by cybercriminals to log into a person’s bank account, digital wallet, or social media account, resulting in financial and data privacy losses.