NPC to ask Jollibee to take preventive action vs data breach

By Bernie Cahiles- Magkilat

The National Privacy Commission (NPC) is coming out with an order asking Jollibee to implement immediate corrective measure after initial investigation showed attempts of data breach of the country’s largest fastfood chain.

NPC Commissioner Raymund Liboro said its digital forensics iteam had undertaken vulnerability assessment and penetration testing since last year.

Raymund E. Liboro Raymund E. Liboro

NPC is expected to come up with the order to Jollibee within the day (May 7) or tomorrow (May 8).
“We have been communicating with Jollibee,” said Liboro.

Atty. Francis Euston Acero of NPC Complaints and Investigation Division said the Commission may come up with a comprehensive order either today or tomorrow.

A preventive action means that if a company finds a problem or has detected attempts at illegal data transfer, it should take corrective action immediately.

Acero noted that corrective action will depend on a number of factors based on evidence.
Liboro, however, noted that although their digital forensics team has still limited capability, it has been working well to investigate and prevent personal data breaches.

Thus, the team has been working on other online retailers, which collect and process personal data of their customers. This is aimed at alerting companies to implement preventive mitigation measures to prevent a full blown data breach.

They are also working from its end to provide information to the Department of Justice of intentional and deliberate data breaches, which are acts punishable under the Data Privacy Law.

Last year, NPC reported of 53 data breaches and ordered firms to implement corrective measures.

Recently, NPC has ordered Wendy's Philippines, a leading fastfood chain, to promptly notify data subjects affected in the breach and wholesale leak of its database last April 23.

An estimated 82,150 records were exposed in the incident, which included personal details such as the names, contact numbers, home addresses, hashed passwords, transaction details, and mode of payment of the company's customers, loyalty card members, and even job applicants.

Earlier, NPC summoned the management and other responsible officials of seven schools, institutions, and local government units as it investigates data breaches they sustained following an organized attack on government and commercial organizations last April 1, 2018.

Top officials of Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to explain why they did not notify, within 72 hours of the breach, the NPC nor the affected data subjects, whose personal data were made available for download via links posted on Facebook.

Under the Data Privacy Law, Personal Information Controllers are required to employ organizational, technical, and physical measures to protect personal data.

“This includes the duty to inform data subjects and this Commission if there is a serious data breach,” said Liboro.

The move comes after digital investigators from the National Privacy Commission determined that each of the exposed databases contained sensitive personal information or information that could be used to perpetuate identity fraud; that the exposed data is in the hands of unauthorized persons; and that the exposure of the data raises a real risk of serious harm to the affected data subjects.

In its initial estimate, the NPC said the combined number of exposed records in the breach were those of at least 2,000 individual data subjects. They include their name, address, phone number, email address, and in some instances, even passwords and school details.