MANILA, Philippines – A lack of multi-factor authentication protection on an administrator account of ABS-CBN’s store appears to have been the cause of the hack that affected 208 shoppers.

National Privacy Commission (NPC) Commissioner Raymund Liboro released an updated statement regarding the ABS-CBN store hack on Friday, October 12, giving an updated timeline of what happened following the discovery of the hack. 

In the statement, the NPC noted that, “had ABS-CBN insisted its third-party developer to use multi-factor authentication earlier, the site would not have been compromised.”

The timeline

ABS-CBN said they only found out about the hack on the morning of September 19, after an article on ZDNet was published on it some 9 hours earlier.

ABS-CBN alerted its Managed Security Service Provider (MSSP) about the hack. The MSSP instructed the third-party vendor to take down the ABS-CBN store for investigation, and the site went offline at around 9:28 am, a little over 10 hours after the ZDNet report went live.

The MSSP reported a “malicious javascript” was running on the ABS-CBN online store. The program “captures a customer’s payment card information while an online purchase transaction is in progress.” (Q&A: RiskIQ’s Yonathan Klijnsma on the group that hacked the ABS-CBN store)

Attackers were able to grab the following personal information of shoppers in real-time:

• The customer’s name
• Customer credit card number
• The credit card expiration date
• The card verification number 
• The customer email address
• Customer phone number
• The customer’s residential address

The NPC report added the code was uploaded on August 16, and was active until the site takedown, affecting 208 customers out of a total of 44,000 registered users. (Q&A: Researcher who found ABS-CBN breach on detecting skimmers)

ABS-CBN said it alerted 202 of the customers within 72 hours of the data breach’s discovery using cellphone messages or email. Six customers who did not offer a contact number or used an invalid email address needed to be reached via postage mail. In each case, users were asked to inform their bank or credit card provider and change their password.

The MSSP added it found suspicious logins from an administrator account of the third-party vendor.

The administrator holding the account said the logins were not his, leading to the conclusion that multi-factor authentication on the store’s administrative accounts would have protected the store from the attack to a greater extent.

The statement is in accord with the hacking method explanation by Willem de Groot, the security researcher who discovered the malware on the ABS-CBN store. He explained to Rappler in an interview that the attackers, suspected to be a group called Magecart, attempt to guess an administrator’s password. When they finally get a password right, they log in and embed the skimming malware.

The UAAP store, which was taken down as well, was not affected by the hack. – Rappler.com