NPC probes Cebuana Lhuiller data breach as solon calls for tighter BSP measures

The National Privacy Commission (NPC) has launched an investigation on the reported data breach involving the email server of pawnshop and remittance chain Cebuana Lhuiller.

In a statement, privacy commissioner Raymund E. Liboro said he met on Friday, January 18, with representatives from Cebuana Lhuiller who sought assistance regarding a data breach.

“At the meeting, they committed to submit a more detailed report regarding the data breach. Cebuana Lhuiller informed us that it has engaged the services of a third-party information security service provider to handle their mitigation and response to this incident,” Liboro said.

The NPC chief said Cebuana Lhuiller has 72 hours from discovery of a data breach to report the details to the agency and affected data subjects.

“The data subject notification must be done individually, and not further expose the data subject to more harm,” he added.

In an email advisory sent to its customers, Cebuana Lhuiller’s data protection officer disclosed on January 15 they detected attempts to use one of its email servers as a relay to send out spam to other domains.  

“Follow-up investigation resulted in the discovery of unauthorized downloading of contact lists used as recipients for email campaigns. These unauthorized downloads took place on August 5, 8, and 12, 2018. Your personal information (name, birth date, email address, mobile number and in some cases, income information) may have been exposed in this incident,” it said.

“Upon discovery, remedial actions were taken to reduce the harm.  The server was immediately disconnected from the network after confirmation of breach,” the company added.

Meanwhile, a lawmaker called on the Bangko Sentral ng Pilipinas (BSP) and top officials of banks and financial intermediaries to put effective countermeasures to prevent similar incidents.

“I am deeply concerned about this latest data breach or hacking incident involving Cebuana Lhuillier customers and the data hijacking of passport data. These data security incidents are not the only recent ones. These past several years, the Philippine banking system, as reported in the news media, has been subjected to hacking attacks,” said Leyte representative Henry Ong.

“Identity theft followed by illegal diversion of funds from peoples’ bank accounts are the most probable goals of these data security intrusions,” he said.

Ong also asked the Anti-Cybercrime units of the National Bureau of Investigation and the Philippine National Police to assist the BSP and financial institutions on the law enforcement aspects.

Comment on this post