The National Privacy Commission (NPC) has ordered Jollibee Foods Corporation to suspend the operations of its online delivery site and all other websites open to the public after the fastfood giant submitted a data breach report last December 12, 2017.
In an order signed by NPC Complaints and Investigations Division chief Francis Acero, the privacy agency also mandated Jollibee to submit a security plan for its IT system.
It also ordered Jollibee to employ a “privacy by design in the reengineering” of its data infrastructure and conduct a new privacy impact assessment, as well as file a monthly progress report until the issues are resolved.
The NPC ordered the steps to be undertaken after Jollibee’s data protection officer (DPO) J’Mabelard M. Gustilo informed the agency that unknown persons appeared to have been able to gain access to the customer database of the delivery website for Jollibee on December 8, 2017.
In the course of the investigation, the Complaints and Investigation Division (CID) identified the breach to be a result of a proof-of-concept initiated by a marketing PR team representative of Jollibee, who made representations to a domestic cybersecurity firm.
The CID invited the IT firm to a meeting wherein one of its members narrated that he, while conducting vulnerability testing for another client, noticed a security gap in the jollibeedelivery.com website.
While their group was able to exploit the vulnerabilities, the tech firm insisted that they did not scrape or exfiltrate any data, because they merely demonstrated their ability to access the data in Jollibee’s database if they so desired.
Shortly after the breach, Gustilo decided to handle corrective measures internally and through its third-party IT security providers.
Gustilo nevertheless clarified that Jollibee treated the cybersecurity firm responsible for the breach as an uncontracted entity or stranger who had no authority to infiltrate their IT infrastructure.
In a later meeting, Gustilo admitted to the CID that the database protection was not up to date, and some data, including personal information, were unencrypted.
Although the CID noted some improvements in protecting data privacy on the part of Jollibee after the suspected breach, the NPC noted that more consistent and effective efforts are needed to protect the data.
As DPO, Gustilo acknowledged difficulty in effecting the needed data protection and security measures for various reasons, such as budgetary constraints, low prioritization or outright disinterest within the organization.
Following these meetings, on February 20, 2018, the CID began conducting its own vulnerability assessment of Jollibee’s website and found that it remains vulnerable to unauthorized access.
Such vulnerabilities may allow malefactors with little to moderate technical knowledge and skill to access personal information of Jollibee patrons through its website, the NPC said.
The agency said considering that smaller systems with more robust security measures have been exposed, there is a very high risk that approximately 18 million people currently on the database will be exposed to harm.
“Considering, further, that these vulnerabilities were made known to Jollibee for quite some time, and that their online properties remain vulnerable, urgent action is necessary to protect the personal data of those using the JFC Group delivery service,” it said.