Grave data breach

The recent data breach involving online lending app Cashalo has underlined the risks attendant to the country’s transition to a digital economy. Sensitive information on some 3.3 million users of the online app found its way to the so-called dark web, where all sorts of cybercriminal activities happen.

The National Privacy Commission (NPC) said its investigation on the Cashalo breach showed that data of users were successfully downloaded from the firm’s database, which might indicate a violation of the app’s privacy measures, and then dumped on the dark web where these were being sold since Feb. 14. Cashalo—operated by Oriente Express Techsystem Corp.—claimed that no customer account or password had been compromised in the data breach, even though it was reported that the customer information said to have been illegally accessed included “the usernames, emails, phone numbers, device ID and encrypted passwords” of Cashalo customers.

No matter the results of the probe being conducted by the NPC, sensitive data of Cashalo customers such as e-mail addresses and phone numbers are now compromised, and their owners risk becoming targets of hackers and criminals who employ various ways to steal money via schemes like identity theft. These customers will now be forced to change immediately all their online credentials such as user names and passwords and possibly email addresses and phone numbers, to avoid being victimized by cybercriminals.

This incident again exposes the weaknesses in the cybersecurity systems of many local companies that might be scrimping on the added cost of keeping the data of their customers safe. It also reflects on the weakness of state supervision and regulation over the growing number of apps providing financial services to the public. The core issue is about enhancing and fortifying cybersecurity. Companies, big or small, need to invest in the latest technologies that will ensure the airtight safety and security of their customers’ data. Advanced technology may be expensive, but it should be a requisite in the government’s efforts to enhance the security of private data in the country.

This becomes more urgent given the desire of monetary authorities for local financial technology firms or fintechs to play a bigger role in the new economy now emerging from the coronavirus pandemic. Functions that were previously the exclusive domain of traditional financial institutions before the COVID-19 crisis, such as lending money on a retail basis, are now being provided by newly minted fintechs. The Bangko Sentral ng Pilipinas (BSP) is targeting to have half of all retail transactions in the Philippines done digitally by 2023, up from the current 20 percent. The regulator also wants at least 70 percent of all adult Filipinos to be using digital transaction accounts within this period.

The country’s financial regulators, led by the BSP, have agreed to come up with a unified monitoring and supervision scheme for the local fintech sector. The central bank said a memorandum of agreement was recently signed under the auspices of the multi-agency Financial Sector Forum on the establishment of a cooperative oversight framework on the fintech industry. This is a good start. E-commerce fraud is projected to continue increasing as the economy transitions to more digital forms of transacting business. All sorts of digital transactions that involve money attract criminals, from credit cards to e-wallets to online shops using alternative payment methods. Savvy tech fraudsters and racketeers are also getting more sophisticated in getting access to bank account details and online shopping credentials, such as payment information stored in shopping apps.

The explosion of online financial transactions in the wake of the pandemic requires corresponding stricter supervision from authorities, and faithful compliance on the part of fintech firms especially in the area of protecting the privacy of their clients and their data, where all e-commerce and cybercrime seem to start. The trust of the people in a digital economy risks being seriously undermined if data breaches such as what happened to Cashalo become a regular occurrence, and no accountability is meted out.