A probe has been launched by the National Privacy Commission (NPC) following a security breach which saw the data of 900,000 customers of Cebuana Lhuillier accessed without authorisation.
“Cebuana Lhuillier informed us that it has engaged the services of a third-party information security provider to handle their mitigation and response to the incident,” said privacy commissioner Raymund Liboro. “We will await further details as to the scope and severity of the breach.
“Cebuana Lhuillier has 72 hours from discovery of a breach to report the same to the commission and affected data subjects. The data subject notification must be done individually and not further expose the data to more harm."
As reported by Channel Asia, the breach occurred due to a server failure, which resulted in confidential information being exposed such as names, birth dates, email addresses, mobile numbers, and income information of customers.
However, transaction details do not appear to have been compromised as a result of this breach.
“Upon discovery, we immediately coordinated with the NPC to investigate the matter and already implemented safety measures to protect the personal data of our clients,” said Richard Villaseran, head of corporate communications, Cebuana Lhuillier.
“We also notified all affected clients and provided them guidance on how to further protect their personal information. We are committed to ensuring data privacy of our clients and adhere to strict security protocols in protecting our interests."
In an exclamation of the incident sent to customers, it appears that attempts had been made to use one of the e-mail servers to send out spams to other domains.
Upon further investigation it also appears that unauthorised downloading of contact lists happened in August 2018, which the provider has assured those affected by this breach that certain remedial actions were taken to reduce the harm, including disconnecting the affected server from the network.
The NPC will investigate whether the provider was negligent in anyway for the breach and whether upon discovery the proper protocol was followed.
“That is one of the most important things to know here,” agreed Liboro, when speaking on local TV.
Liboro said that under the law the responsibility for the data lies on the shoulders of the one processing it and if it is proven that Cebuana Lhuillier did not act responsibility it could result in a large penalty for the organisation.
Liboro also stated that the NPC had asked the provider for a comprehensive report on the incident, which includes the risks customers face as a result of the data breach and furthermore, how the organisations seeks to address it.