NPC: Personal data in text scams may have been harvested from mobile apps
The information being used by text scammers may have been sourced from scrapped or harvested data from online payments and messaging applications, according to the National Privacy Commission (NPC).
NPC deputy commissioner Leandro Aguirre on Thursday told senators in an organizational meeting of the Senate committees on public services that an initial investigation of the commission also indicated there was no breach of the data of several mobile applications.
“The ones we’re seeing now… a lot of these seem to be a result of scrapping or harvesting from payment applications, messaging applications. Ito ang initially na nakikita natin. Hindi ito manual harvesting because that would not be efficient. There’s an automated way of going through that's what we are initially seeing,” Aguirre said.
“We’re not ruling out the possibility of a leak or a breach but based on the evidence we’re seeing, it seems unlikely at this time of time. The same with the manual contact tracing forms ‘yung ie-encode ang fini-fill up natin because that would not be efficient and not consistent with the names we’re seeing in the text messages,” he added.
Senators discussed six Senate bills that propose the mandatory registration of SIM cards and two resolutions seeking an investigation into the rising number of text scams
In a House committee hearing, Aguirre previously said it would be difficult to trace the sender of spam messages since there could be numerous possible sources.
But while it is not seeing any breach, the official said the commission is also probing if there was negligence on the part of those handling mobile applications.
“There’s an obligation on the part of personal information controllers, those who control the processing of our information to put in place appropriate security measures to ensure that the information they're processing cannot be taken easily,” he said.
“That’s where we are also looking at. If there's negligence. I guess in their implementation of a certain security measure. Ganon ang tinitingnan natin dito. Ano ginagawa nila before at kung ano ginagawa nila after at kung na-detect ba nila itong ganitong activities,” he added.
Government agencies present at the hearing including the National Telecommunications Commission (NTC), National Bureau of Investigation (NBI) and Philippine National Police (PNP) confirmed receiving reports related to the spam messages, with NTC saying it had received 800 reports in 2022.
This irked Senator Grace Poe, chairperson of the Senate Public Services Committee, saying it seemed the NTC appeared to be doing only public information work by telling telecommunication companies to issue warnings against the scams.
Poe asked if the NTC had a hotline but Commissioner Gamaliel Cordoba said it is on their website.
"Hindi mo memorized ang hotline number n'yo? Kung hindi ninyo alam ang hotline number n'yo, kami pa kaya. I'm very disappointed. If you were really serious about this issue, this would be at the top of your head and you would really tell the public that this is the number you can call and text," the senator said.
Poe advised the commission to send more text blasts to advise the public from engaging in the fraudulent activities included in the spam messages.
"Dalas-dalasan n'yo, sipagan n'yo ang pagbibigay ng order na mag-text sila (telcos) to warn subscribers," she said.
NTC had previously ordered telecommunications companies to blast warnings to the public against scam text messages. It also directed officials to appear in interviews to advise the public against unscrupulous messages.
Meanwhile, state agencies at the inquiry also expressed support to the proposed SIM Card Registration Act but expressed reservations on a provision mandating users to register their social media accounts.
NTC, for its part, also warned against the establishment of a centralized database “which might make it more susceptible to targeting”.
“We support the intentions of the SIM card registration bill. We’re only cautioning in relation to the creation of a centralized database which might make it more susceptible to targeting,” Aguirre said.
Telco companies Globe and Smart, for its part, proposed selling deactivated SIM Cards should the law be passed. They said the prepaid mobile cards will only be activated after an online registration.
Poe welcomed the proposal but asked the companies to prepare alternatives.
The Department of Information and Communications (DICT) said the national identification cards (IDs) will help in the implementation of the measure.
“That's precisely why we’re rushing the rollout of the national ID. Because the deployment would simplify a lot of other identity issues. One way is once they buy the SIM cards, they scan the barcode of the national IDs, and once they scan it, it would access the data to verify the identity,” DICT Secretary Ivan John Uy said.
Legislators in the 18th Congress passed a law mandating SIM Card registration but was vetoed by former President Rodrigo Duterte in April.—LDF, GMA News