The National Privacy Commission launched a probe into telecommunication companies to determine if they exercised due diligence and accountability in transacting with data aggregators amid the text scam controversy.
Last month, some Filipinos reported receiving dubious text messages about job offers with high salaries and sales of products from e-commerce websites.
Most messages also have links to a WhatsApp channel.
They suspected that their phone numbers might have been leaked from contact tracing forms and apps required as entries for establishments.
Associate Justice Marvic Leonen also raised alarm over the slew of unsolicited text messages he had been receiving.
Leonen warned that this could put the country’s digital infrastructure at risk for “mistrust and malware.”
These incidents prompted the NPC to summon digital protection officers of telecommunication providers, e-commerce websites and some banks to report to them their spam preventive measures for investigation.
In an update on December 1, the commission ordered Globe Telecom, Inc., Smart Communications, Inc. and Dito Telecommunity Corp. to submit documents about their “data flows and transactions involving data aggregators.”
This would help in assessing if these providers exercised due diligence and accountability in dealing with data aggregators linked to sending spam texts to millions of Filipinos.
The same orders were also sent to Union Bank of the Philippines, Inc. and GCash (Mynt – Globe Fintech Innovations, Inc.), being the main payment channels where victims of smishing deposit their money to.
“The investment accounts invariably become inaccessible to the victims after they had been enticed to deposit larger sums in exchange for bigger commission,” NPC said.
Trendmicro described “smishing” as “a form of phishing that uses mobile phones as the attack platform.”
On the other hand, the NPC stated that data aggregators are involved in the proliferation of these fraud cases.
Data aggregators could be “legal entities tapped by companies such as global brands to act on their behalf and deal with telcos in blasting promotions and other company messages to their customers.”
Pushing for attestation
Privacy Commissioner Raymund Liboro also pushed for attestation wherein the owner of the number sending the unsolicited texts can be traced through a registry.
Liboro said that the commission found that the smishing and text spams came from webhosted companies in China and India.
“At the meeting with the NPC on November 24, the data protection officers of Globe Telecom and Smart Communications revealed a complex chain of data aggregation and handling, involving data brokers, that is bringing new challenges to compliance and enforcement,” he said.
Globe Telecom, in particular, reported that a data broker Macrokiosk was tapped by a firm named China Skyline Telecom as the main source of messages that “share the theme of job hiring and contain a Whatsapp contact link.”
Globe noted in its report that 1.55 million of these messages were sent via its network from November 11 to 21.
The commission previously stated that recent incidents of smishing are run by a global crime syndicate based on their initial findings.
“If our initial findings prove true, that personal data is being exploited by criminals abroad, then this also becomes a matter of national security, which should compel government, the private sector and advocate groups to work hand in hand and take more urgent and concrete action to safeguard,” Liboro said.