More than 80,000 records of customers and even job applicants — including names, hashed passwords, and contact numbers — have been exposed last month in a leak of Wendy’s Philippines’ website, according to the National Privacy Commission (NPC).
In a statement on Friday night, NPC estimated that 82,150 records were exposed, which included personal details such as names, contact numbers, home addresses, hashed passwords, transaction details, and mode of payment of the company’s customers, loyalty card members, and even job applicants.
In an order published online, NPC ordered Wenphil Corp., which runs the franchise here in the country, to notify the people whose data had been exposed. The document, dated May 2, told the company to do so within 72 hours.
NPC said that “yet unknown persons” published the database online. NPC then obtained a copy of the data, noting that there is “real risk of serious harm” to those affected.
“On an analysis of the information exfiltrated, it can be ascertained that the exposure of certain sensitive personal or financial information within the database puts the affected data subjects in harm’s way,” the order read.
“There is a real risk of serious harm to the affected data subjects; the data is not merely incidental to the breach,” it said.
Among other orders, NPC said that it has asked the company to explain why further action should not be taken against it.
NPC has also asked for a copy of server logs, network logs, and traffic logs of the website prior to the breach.