Stock market broker AB Capital Securities admitted last Feb. 3 that its system was breached by hackers last Jan. 25, causing the temporary suspension of its trading activities for its clients.

In an urgent advisory sent to their clients, AB Capital said the security breach may have exposed the personal information of some of their clients.

“It is our responsibility to advise you, however, that the security breach that hit our system last January 25 may have exposed personal information of some clients. We are exhausting all potential methods to determine the specifics, and are committed to providing more information on this as we validate our findings,” the brokerage firm said in an advisory.

The National Privacy Commission (NPC), for its part, said that AB Capital had sent them a “physical copy” of a breach notification on that same day at 3 p.m. The NPC has an online tool called data breach notification management system (DBNMS) that allows personal information controllers (PICs) and personal information processors (PIPs) to submit or file such breach notification reports.

However, it was noted that the advisory was sent by the securities firm mainly to inform its clients of the resumption of trading activities last Feb. 3.

“We are pleased to report that out systems are up and running and we are back to business-as-usual,” it said.

The brokerage was silent about the security breach when it issued an email advisory to its clients regarding the suspension of its trading activities last Jan. 27, which it said was due to “essential system maintenance” supposedly “to ensure the continued security and reliability of our services”.

However, AB Capital said in its subsequent advisory that it has informed the NPC and other regulators about the incident, and gave assurances that the stock portfolios of its clients were unaffected by the security breach.

The securities broker urged its clients to change their passwords before resuming their trading.

AB Capital recommended clients to come up with passwords that have least 16 characters, include three numbers and three special characters, and not contain any word that can be found in the English dictionary.

“Under the close supervision of a third-party cybersecurity firm, we have upgraded our digital infrastructure and fortified its defenses to prevent further leakage and protect against similar attacks in the future,” the broker said.

AB Capital is the partner of the country’s e-wallet giant GCash in its GStocks PH stock trading platform on their app which GCash and AB Capital rolled out way back August 2023.

Meanwhile, the Philippine Charity Sweepstakes Office (PCSO) has denied that its system was breached by a local hacking group as reported on Feb. 23 by cybersecurity site Deep Web Konek.

PCSO general manager Mel Robles said in a statement branded the alleged hacking of its system as “fake news”, stressing that there was never a breach in any of official sites or database of the PCSO.

“This is fake news. There was no breach nor any successful attempt to hack the systems of PCSO. We have not reported anything to DICT because nothing had happened,” he stated.

Robles continued:” Relax, today is Valentine’s Day and don’t let it be ruined by some groups who were out to besmirch or cast doubt on the integrity of our games. It’s too early for April Fool’s Day and let us not easily fall for it.”

“While there were numerous attempts (in the past) to hack our system coming from all over the world, our digital defenses are holding out and remain impregnable,” he stressed.

He was disputing an online news that the PCSO and the Department of Information and Communications Technology (DICT), were reportedly investigating a report on an alleged breach of the data of lotto winners.

Robles emphasized that the news report came from an alleged group of hackers who were obviously attempting to make a name for itself, by claiming that they were able to breach the PCSO system.

The PCSO chief was, however, quick to clarify that none of their accounts was attacked or compromised.

Robles added that the hacker group was merely claiming that it got hold of the email accounts of PCSO employees, most probably from its Cagayan branch, based on the screenshots attached to the post.

Robles, however, pointed out that it was the list of individuals who availed of the promo of the PCSO branch in March 2022 and not names of winners, whether of jackpot or consolation prizes.

The picture of a woman holding tickets is a proof that the promo tickets were availed of by “real” people, thus the information published by the hackers actually belong to the recipients of a promo of a branch in Cagayan in March of 2022 and not of lotto winners.

“Our database for the lotto jackpot winners is safe in the head office. The branch offices are not connected to the head office,” he said.

Robles earlier already previously dismissed the claims, saying the systems and sites of the agency are secured.

“I have just checked, at the moment, none of our websites are compromised, breached, or hacked,” Robles stressed.