Cybersecurity expert Dominic Ligot explains the dangers to personal data after Philhealth was hacked

Video Transcript / Subtitles:( AI generated. About AI subtitles » )

* AI ("Artificial Intelligence") subtitles on Tagalog.com are generated using "Whisper" by OpenAI (the same company that created ChatGPT and DallE2). Results and accuracy may vary.
* The subtitles do include errors occasionally and should only be used as a tool to help with your listening practice.
* You can request this website to create a transcript for a video if one doesn't already exist by clicking the "Request AI Subtitles" button below a video. Transcribing usually takes 30-40% of the length of a video to complete if there are no other videos in the queue. For example, a 21 minute video will take 7-8 minutes to transcribe.
* Running a super fast cloud GPU server to do these transcriptions does cost money. If you have the desire and financial ability, consider becoming a patron to support these video transcriptions, and the other tools and apps built by Tagalog.com

... Nagbigay ng patikim yung mga hackers before the deadline. And it's just a list of files. The list was so big, almost 50 or 60 MB yung listahan pa lang na yun, hindi pa yung actual files.

... And may mga mukhang sensitive talaga na data na nandon according to that list. May list of senior citizens, may employee list. Hanapin mo lang yung keywords, until you see the actual file you don't know what's there.

... Using that information is going through the data. And for me, ang immediate protocol dapat dyan, if it were me lang, contactin nyo na agad kung sino man yung nandon, hindi mo na-compromise yung information mo and take the following precautions.

Actually, kahit ako, not even knowing what's in the database, nag-post na ako. Guys, kung yung number mo in PhilHealth, ginagamit nyo for any other thing, palitan nyo na agad. Just don't even entertain the possibility na ma-compromise yung identity mo.

Kasi nowadays, without us asking for it, naging personal identifier na natin yung cellphone natin. Karamihan naman ng tao, isa lang yung phone na gamitin. Ako F3, kasi talagang praning ako. Pero yung iba, isa yung phone mo, yun din yung ginagamit mo sa Facebook, yun yung ginagamit mo sa whatever, Lazada, Angkas, probably your online banking.

The moment malaman niyan ng isang hacker, mayroong tinatawag na attack na SIM swap. Kunyari ikaw, alam ako yung number mo Christian Esguerra tapos meron akong copy ng mga ID mo which allegedly the Medusa people have based on that dataset. Naglabas din kasi sila ng video. Literal passport photos nandun.

So I have your ID Christian, I have your number. Punta ako sa telco. Hi, this is Christian Esguerra, I lost my SIM, can I request for a replacement? And again, maybe the pressure is now on the telcos, how are they verifying the identity? Pero usually, titingnan lang nila, please provide an ID, if you're not the person, authorization, letter, and then within 24 hours you have your SIM.

Nakukuha ko yung SIM mo, next step, email mo na. Iri-reset ko na yung Gmail mo or whatever email you have. Dali na mahuhulaan yung email mo, Christian.Esguerra or whatever. Various combinations, may mga normal combo na yan. The moment may ma-reset akong email mo, wala na, that's it. Probably it's the same email you use for Facebook, it's the same email you use for Lazada and everything else. Wala na, kuha ko na yung identity mo.

For me, yun yung immediate chain reaction. Oh my gosh, sabi ko, nandun yung mga cellphone numbers. We have to tell people, hassle siya, palitan yun na agad. Pinakahassle yan yung bangko. If your banks are like my banks, you have to go in person to change them sa branch of account. Hirap nun, napakahassle.

Ano bangko ba yan? Ano ba yun sa'yo?

The local banks, UPI, BDO, Metro Bank, yan ang normal protocol.

Yup, basically dun sa branch.

Eh kung napalitan na yung SIM card mo without your knowledge, yung OTP mo pupunta na dun sa hacker. I mean, think about it. Kasi yun yung way mo of protecting your identity. Yung multi-factor or two-factor authentication, OTP, PIN, pupunta yan dapat sa phone mo.

Eh kung hindi mo na-controlled yung SIM mo kasi napalitan na siya. Imagine mo, 3 steps yan. You have to go to the telco and tell them, Boy, yung nagpapalit ng SIM, hindi ako yun. Oh please provide verification, ganyan-ganyan. Tagal, may affidavit of loss pa yang nalalaman and all that. You're really wide open if you entertain the possibility.

So ang dapat gawin, ang dami kasi member ng PhilHealth, more than 90% ng coverage yan, pinagmamalaki yan. So ang advice mo, just to be cautious.

On the safe side, if you think yung number mo sa PhilHealth, kasi may application form ng PhilHealth, katapat-katapat na data yan. You fill that up.

Baka nga hindi nyo naaalala kung ano yung pinilapan ninyo kasi probably you applied for it when you started working. If it's the same number you're using for any other identity, don't even think twice. I-detach mo na. At the very least, detach your number from your emails.

There was a big hack years ago, yung Yahoo hack. Nangyari ito sa Facebook. Parang na-compromise yung database ng Yahoo. At ang ginawa ng Yahoo, to be safe, dinelete niya lahat ng compromised emails.

Nangyari, Christian Esguerra at Yahoo.com, dinelete ni Yahoo yung email mo. So your email does not exist. Pero nakakalimutan ng mga tao na, hey, yun yung email na ginamit ko pang bukas ng Facebook.

So that doesn't stop me, for example, from creating a brand new Christian Esguerra at Yahoo.com. Exactly the same email you had. Since wala na sya sa system ng Yahoo, gawa na akong bago. And then punta na ako sa Facebook, reset ko na yung password ko, pupunta na sya dun sa Yahoo na yun. And then that's it. I can take over. Ang dami mga taong nabiktima dyan.

That's just with the email. Ngayon, nausa na yung two-factor or multi-factor authentication. Di lang email, kailangan may telephone number. It makes everyone a little safer. Pero paano kung na-compromise yung number mo? Hassle yun. Pagpalitan mo ngayon lahat ng...

So I feel na hindi dapat natin in-politika itong issue na ito. Talagang we have to hold people to account and protect ourselves in bottom line. Defense muna tayo, defense.

So ito yung masaya. I don't know kung binawi na but literally yesterday, someone from the National Privacy Commission said, you can sue. Pero they were talking about the employees. Kasi at that time, parang employee data pa lang yung nako-confirm na i-leak.

So if your data was compromised... Actually, ito yung magandang tanong. Ano bang kaso yung ipa-file mo to begin with? Kasi may criminal case, may civil case. Number one, you have to prove na may breach. Somehow, malalaman mo lang naman yun pag biglang meron ang kumukontak sa'yo or somebody made an attempt. So that's a breach.

Until then, or na-verify mo na nandun ka sa dataset. Kaya nga segue lang tayo saglit. I feel that another thing that needs to happen is kung sino man yung nag-investigate ang data na yan, kailangan meron tayong facility to validate if your name is on that list.

So you won't be able to get it. Pero you can check, is my name, Dominic Ligot, in that list? Or is my password, yung mismo password mo, mavalidate mo kung na-breach siya somewhere? So that should certainly happen for this. Kailangan may way tayo validating.

So if let's say proven na may breach or worse, hopefully hindi nangyari, meron nang nangyaring financial loss, may guhawak ng credit card mo or whatever.

According to the NPC, you can sue. Kasi under the data privacy app, yung data controller, whoever has possession of your data, is liable for breaches. Who's the data controller here? Field Health is the data controller.

So yun lang, just keep it simple. Pero sobrang hassle yan. At mag-astos, mag-hire ka ng lawyer. Parang paramihan sa atin public attorney ang habal mo haba ng pila doon. So nakapanghina kasi you feel so helpless.

Yung inquiry, whatever you call it, validation portal, dapat labas agad yun para macheck mo agad kasi malay mo wala ka pala doon. At least you can feel a little safe. Pero yun na nga, if you don't want to take second chances, palitan mo na agad.

And then secondly, if you're there, what do you do? Kailangan naka-outline na yung steps. This is how you protect yourself. Parang right na, wala kang mahanap na ganun.

If you liked this video, please like and share so more people can see and watch. If you want to hear more, follow me on my social media accounts on the screen.

You can also send super thanks, super likes, super chats, and super stickers on YouTube and Facebook stars. You know, this will go far so we can make more videos that will help spread the right information for every Filipino.

Kada like, subscribe, follow, at share ay pag-suporta po sa tunay na independent journalism sa bansa. Maraming maraming salamat po.