EDITORIAL - Data breach: Trace the source

Anyone with a mobile phone in this country must have received, at least once, a text message alert about a win in something that the phone owner didn’t join. As people quickly learned to delete such messages, the scammers also rapidly switched to schemes that illegally use the websites or accounts of reputable businesses or organizations, inciting the disclosure of personal information.

Phishing or the use of e-mails for scams, smishing or the use of text messages, and vishing or the use of phone calls for fraud proliferated during the COVID lockdowns, when people were forced to migrate online for many of their day-to-day transactions. The scammers preyed particularly on those who lost their jobs and other sources of livelihood, enticing potential victims with promises of gainful employment or money-making opportunities.

With the easing of COVID mobility restrictions, the scammers appear to have attained greater sophistication. There are increasing complaints – and concerns – about fraudsters using the names of owners of cell phone service and social media accounts to launch their scam attempts. Even senators have said they received unwanted messages addressed to them by name.

Where did the personal data come from?

Suspicions focus on COVID contact tracing information collected at the height of the pandemic, mainly through the unlamented StaySafePH app, although several local government units had their own apps.

Some quarters have also raised the possibility of data breaches in companies engaged in e-commerce, app-based delivery and ride hailing.

Following a bank scam that victimized public school teachers, banks have warned their clients against giving out passwords and clicking on links sent by e-mail or text. The banks have also committed to regulators that tighter measures are being implemented to foil hackers and digital fraudsters.

Yesterday the head of the Department of Information and Communication Technology said the government is almost helpless in stopping data breaches and digital scams. This is a worrisome pronouncement from the head of the department that is supposed to have the expertise in this area.

Law enforcement agencies have units dedicated to fighting cybercrimes, but they need more tools. The previous Congress passed a law requiring the registration of SIM cards, but Rodrigo Duterte vetoed it in his final days as president. One possible reason, according to disappointed lawmakers, was that the measure included a requirement to register social media accounts.

The current Congress is crafting a new version of the measure, which will require only SIM card registration, with social media accounts tackled in another bill. Telcos, meanwhile, are assuring the public of continuing efforts to upgrade their cybersecurity capabilities.

Any step will be welcome, and must be speeded up, before the scammers find worse uses for the personal data they have obtained. At the same time, the government cannot afford to give up trying to trace the source of the data breaches.