Privacy watchdog ‘monitoring 24/7’ COL Financial’s data hack probe
The government’s privacy watchdog said on Sunday that it was closely monitoring the “possible personal data breach” on the country’s largest online stock brokerage firm, which has almost a quarter of a million clients trading shares its internet-based trading platform.
In a press statement, National Privacy Commission (NPC) chief Raymund Enriquez Liboro ordered COL Financial five days to submit a comprehensive report on the potential hacking of its client database to aid in the agency’s probe as well as to help it decide on its next course of action.
“The public may rest assured that the NPC is monitoring this incident 24/7 in fulfilment of its mandate as watchdog for the protection of the data privacy rights of every individual who may possibly be affected,” he said.
The agency said it had been informed by the stock brokerage – one of the most active trading participants on the Philippine Stock Exchange by volume – that it was “hiring a third party group to perform an independent security and vulnerability check of the system.”
At the same time, the privacy commission commended COL Financial for its timely action on the data breach, including notifying authorities, as mandated by law, about the incident within three days of its discovery.
Liboro said his agency as informed at 3:30 p.m. of Friday about the potential data breach to its system which was initially detected in the afternoon of Oct. 17, 2017.
“We are glad to note that this notification has adhered to standard breach reporting protocols set forth in NPC Circular 16-03, on personal data breach management,” he said. “The company has assured the NPC that it has taken immediate measures to address the incident, creating a special team to look into the ‘likelihood of the threat and probable extent of a data breach, if any’.”
The NPC said that COL Financial also submitted a preliminary report giving additional details of what their breach response team has done as of Friday. The company said it ran an initial vulnerability scan of its website, the result of which was “favorable”.
“We commend COL Financial for following the NPC’s breach management guidelines, which obliges a Personal Information Controller (PIC) or Personal Information Processor (PIP) to be upfront and transparent in handling a personal data breach,” Liboro said. “This includes sending a preliminary notification to the NPC and the affected data subjects within 72 hours upon knowledge or reasonable belief that a breach has occurred.”
COL Financial president and CEO Dino Bate earlier told the Inquirer that none of 225,000 clients’ accounts and portfolios was affected by the possible breach.
“We assure our clients that their stock positions and portfolios are unaffected,” he said. “They will be able to trade normally on Monday.” /cbb
