ABS-CBN online store hacked – report

MANILA, Philippines (UPDATED) – The ABS-CBN online store (store.abs-cbn.com) has been hacked according to the report of Dutch security researcher Willem "gwillem" De Groot. 

At 9:30 am, Wednesday, September 19, ABS-CBN took down store.abs-cbn.com and the UAAP store (uaapstore.com), following the report. 

De Groot, in a post on his website dated Tuesday, September 18, said that a payment skimmer is running on the website, which steals personal and financial information including credit card details. The stolen data is then forwarded to a server in Russia, specifically in the city of Irkutsk located in eastern Siberia. De Groot says that "the credit cards and identities are then (presumably) sold on the black market."

"Personal information and credit cards are intercepted while people shop for [merchandise] for one of the 90+ television shows," De Groot says.  

The skimming method makes use of malware hidden in the website's Javascript file, the code underpinning the site. The code has been in the website since at least August 16 as per De Groot's estimates, based on the fact that the code was last changed 4 weeks ago. The code may have been injected earlier than August 16, however, which suggests that any site transaction on or before that date, may have also been affected by the security breach.

The researcher says that the malware intercepts the data during the checkout process, and doesn't state that the malware has an ability to scrape data from older transactions prior to being injected or from the site archive.

One crucial detail that may have contributed to the success of the reported intrusion is that store.abs-cbn.com had been running on Hyper Text Transfer Protocol (http) and not the more secure Hyper Text Transer Secure https protocol. Communications between a user browser and a website running on plain https are encyrpted; http communications are not. (READ: The difference between HTTP and HTTPS websites)

However, De Groot notes that the methodology used in the incident, which is similar to the recent Ticketmaster and British Airways breaches, can beat encrypted connections: "The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL)."

"Filipinos are recommended to carefully check their credit card statements for unauthorized payments," advises the researcher.

213 customers affected

ABS-CBN has issued a press statement on their news website, indicating how many were possibly affected:

"As of this time, there are 213 customers who may have been affected. However, the investigation is still ongoing.

This data breach incident is isolated only to the ABS-CBN Store and the UAAP Store websites and does not affect other ABS-CBN digital properties. We have informed the National Privacy Commission and will be working closely with them.

We have started reaching out to all our affected customers. We also advise our customers not to give out additional personal and financial information to anyone who may be claiming to be an ABS-CBN representative."

The network advises those with related concerns to email ABS-CBNStore@abs-cbn.com.

The National Privacy Commission (NPC) also says that they received the breach notification from ABS-CBN's Data Protection Officer Jay Gomez at 12:37 pm, around the same time when the company publicly disclosed the incident on Twitter. 

The commission expects "ABS-CBN to send [the NPC] a full report on the incident within five days," says NPC commissioner Raymund Liboro in an emailed statement. – Rappler.com

Editor's note: An earlier version of the article suggested that only transactions after August 16, the date of the last modification of the malware, may have been affected. Transactions before August 16 may have been affected too as the researcher said that the malware may have been injected before the said date. We regret the errors and made the necessary corrections.