A Breach Uncovered

Cebu Pacific: no sensitive information was compromised

Hacker: personal data of Cebu Pacific passengers downloaded

Name, date of birth, address, contact details, emails even Facebook access tokens were downloaded from the Cebu Pacific servers – a breach claimed by a hacker who goes by a moniker Kangkong, a member of the local hacking group Pinoy LulzSec.

In a Twitter update, @PinoyLulSec posted: “Large Data Breach Coming from GetGo to CebPac. Active Directory is lyf — KangKong”

While the severity of the hack is not yet known, the hacker claimed that more than 40GB of data was exfiltrated from the servers.  Based on the 2018 statistics of Cebu Pacific available online, the company has served more than 20 million passengers from its 135,071 flights. This number is feared to be compromised by independent cybersecurity professionals looking into the incident.

Cebu Pacific however clarified and downplayed the impact of the breach. In an exclusive interview, Laureen Cansana, Chief Information Officer of Cebu Pacific informed The Manila Bulletin that there was an unauthorized access but the hackers only reached the interface layer, it is the place where you login in the app or website. “Only the first layer was breached. But they weren’t able to really penetrate deeper where the customer data are stored.”  Cansana also said that the information that was exposed were the GetGo number card, FB profile and username. “That’s all the information that they were able to get, not as what they’re claiming.” she added.

With regards to the 40GB claim of the hacker, Glenn Amper, IT Security Manager of Cebu Pacific said: “We are still verifying that claim and their claim of access to directory services. We’re still looking for those information.” He also assured that credit card information of clients are safe. “The credit card information is stored in another database and Cebu Pacific never stored passwords and CCV of the card.”

“Next step is going to the dark web to see if there’s any other information out there —as long as Cebu Pacific customers are concern, so far there is none. The web API is the last piece that is being boarded in the web application firewall, the rest of Cebu Pacific Air and GetGo are in the firewall.  We see and track malicious traffic to our servers. It’s just bad timing that they got ahead of us in this one.” Amper added.

While the investigation is on-going, all GetGo accounts would be temporarily locked and all channels would be unavailable.  Also as an additional precaution, users would not be able to access Cebu Pacific website and mobile app using their GetGO credentials.

Independent cybersecurity professionals are also monitoring websites where the hacker could have dumped the database.  Manila Bulletin got information that as of this writing, all leads are negative.

This is a developing story. Will update as soon as we get additional information.


GetGo is the the frequent flyer program of Cebu Pacific and a rewards program that allows members to accumulate points.

Facebook access tokens are the digital keys that allow mobile users to login into their accounts without having to retype their passwords.

The hacker claimed that he was just looking for emails he could use for spamming people when he stumbled upon the vulnerability.

40GB is estimated that if converted to text file would be 27,118,520 pages (where one GB is 677,963 pages)

The IT staff of Cebu Pacific immediately secured the site upon detecting the unauthorized access.

When Pinoy LulzSec made public the breach, the Cebu Pacific server was already secured.