Contact tracing conducted by the companies suspected of being the source of the data breach

September 7, 2022

Manila, Philippines — Contact tracing conducted by commercial establishments at the height of the COVID-19 pandemic may be one of the culprits behind the wave of fraudulent text messages sent to cellphone users.

This was according to Albay Rep. Joey Salceda, who has called out the Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF) for being “negligent” in securing the privacy of contact tracing data.

“The IATF has not pushed hard enough and enforced a single contact tracing app with a single database. That means [the task force] had different data collectors, some of which may not have been able to protect the data,” he said in a statement.

“I don’t want to attribute malice, but some of them may have even sold it,” he added.

“All of these potential data breaches could have been limited by having a single controller and data clearinghouse that was also protected and audited,” he added.

The task force has been contacted to comment on Salceda’s observations, but has yet to respond as of this writing.

“No Sheriff”
Contact tracing began shortly after the pandemic hit the country in March 2020.

Salceda noted that “the privacy guidelines [on information from contact tracing] were only issued in June [that year].”

“So you had three months where it was a ‘Wild West’ for data privacy. There was no sheriff in town for at least three months. That’s the only big data source I can identify,” he said.

“[Considering that] banking services are now so interconnected with mobile numbers that we have to treat mobile numbers with the same care that we treat banking services. There is money for thieves to steal in data breaches,” added the lawmaker, who said he also received fraudulent messages bearing his name.

Salceda said the National Telecommunications Commission (NTC) should work with telecom operators to detect and prevent the “mass of successive text messages” being sent to subscribers.

The NTC has in effect ordered these companies to send text messages to their subscribers and submit a compliance report by Friday.

Additionally, the National Privacy Commission (NPC) should find the source of the data breach, Salceda said.

The commission said earlier that it was already examining the proliferation of fraudulent messages.

Contact tracing apps
Salceda also cited Republic Act No. 10173 or the Data Privacy Act of 2012, which requires data controllers to notify the NPC if personal information may be used in a data impersonation. identity could have been obtained by an unauthorized party.

“Data controllers appear to have been unable to protect all data. And there [had been] lots of room for breaches because there were so many data controllers, due to multiple contact tracing apps,” Salceda said.

But Angel Redoble, chief information security officer at Smart Communications Inc., said when contacted for comment that “there is no evidence to suggest a breach in our systems that gave the perpetrators the ‘access to the mobile numbers and names of our subscribers’.

He also said: “These [scam] messages are not from [our] aggregators or their customers.

Data aggregators, as defined by the NPC, are “entities operated by companies such as global brands to act on their behalf and deal with telecommunications carriers in connection with explosive promotions and other messages of business to their customers.

Meanwhile, Ingrid Rose Ann Beroña, chief risk officer of GCash, said the Ayala-owned e-wallet service provider had already “emigrated[ed] [its] transaction confirmation messages from text messages to app inbox. »

She said this “helps ensure that users only receive legitimate messages regarding their GCash transactions.”

The vetoed bill is revived
The slew of scam text messages prompted lawmakers to address the issue and even reintroduce the SIM card registration bill, which then-President Rodrigo Duterte vetoed last April. due to its provision including social media providers in the record.

On Monday, the House Information and Communications Technology Committee approved this consolidated bill from the 18th Congress. Salceda, who heads the ways and means committee, said this was permitted under Rule 48 of Bylaw 10.

Also that day, AGRI Representative Wilbert Lee tabled a resolution calling for an investigation into the fraudulent messages, while Senator Nancy Binay tabled a similar measure in her chamber.

According to Sen. Grace Poe, the Senate Public Services Committee, which she heads, will begin its own investigation Thursday.