900,000 customers at risk after Cebuana Lhuillier data breach

Published January 19, 2019, 12:00 AM

by manilabulletin_admin

By Madelaine Miraflor

Diversified financial services firm Cebuana Lhuillier, known nationwide for its remittance services, suffered a nation­wide data breach that puts at risk all the personal data of the company’s 900,000 customers.


Cebuana Lhuillier’s Data Privacy Officer sent a “notice” to all its clients via email Saturday morning, January 19, informing them of the data breach.

Richard Villaseran, AVP for Corporate Communications, later on said in a state­ment that the data breach exposed the personal information of around 900,000 of its clients. Some of these information in­cluded birthdays, addresses, and sources of income.

National Privacy Commissioner (NPC) Raymund Enriquez Liboro said the inci­dent is now under investigation.

The data privacy watchdog also gave Cebuana Lhuiller 72 hours from discovery of a data breach within which to report the same to the NPC and the affected data subjects.
“The data subject notification must be done individually and not further expose the data subject to more harm,” Liboro stressed.

According to Liboro, Cebuana Lhuillier representatives reported Fri­day, January 18, to the NPC, seeking assistance regarding the data breach involving their email server.
At the meeting, they committed to submit a more detailed report regarding the data breach.

“Cebuana Lhuiller informed us that it has engaged the services of a third party information security service provider to handle their mitigation and response to this incident. We await further details as to scope and severity of the breach,” said Liboro.

Aside from birthday, address, and source of income, data at stake include email addresses and mobile numbers.

“We are writing to inform you of a security incident which may have af­fected your personal data stored in one of our email marketing tool servers,” the company told its customers.

The company said it detected on January 15 attempts to use one of its email servers as a relay to send out spam to other domains.

“Follow-up investigation resulted in the discovery of unauthorized download­ing of contact lists used as recipients for email campaigns. These unauthorized downloads took place on August 5, 8, and 12, 2018,” Cebuana Lhuillier said.

“Upon discovery, remedial actions were taken to reduce the harm. The server was immediately disconnected from the network after confirmation of breach,” it added.

Cebuana Lhuillier has 2,500 branches nationwide. It operates businesses dealing with financial services such as pawning, remittance, microinsurance, and business-to-business micro loan solutions.

The Cebuana Lhuiller data breach occurred days after another major data breach supposedly took place at the De­partment of Foreign Affairs (DFA), which raised concerns about possible identity theft and that personal data taken from the agency may be used to manipulate the automated 2019 senatorial polls.