Jollibee ordered to suspend online delivery system over privacy concern

The data of 18 million people in the online delivery database of popular fast food chain Jollibee Foods Corp. (JFC) are in “high risk” of being exposed to harm due to vulnerabilities in the system although its database has not been breached, the National Privacy Commission (NPC) said.

In an order posted online on Tuesday evening, the NPC ordered Jollibee to suspend operations of its online delivery system until the site’s vulnerabilities are addressed.

When asked about the kind of personal information accessed, Francis Euston Acero, head of NPC’s Complaints and Investigations Division (CID), said the government is not revealing this yet.

Still, Acero said it is similar to the case of Wendy’s Philippines, another fast food chain that faced a similar privacy concern.

The main difference is that Wendy’s database had been breached while JFC only has the potential to be hacked given their system’s vulnerabilities.

“We withheld that information deliberately because giving that information would give potential attackers avenues in,” Acero said in a phone interview with the Inquirer.

The risk was first discovered in December last year, when an uncontracted cybersecurity firm noted a “security gap” in the online delivery system.

“While their group was able to exploit the vulnerabilities, their firm insisted that they did not scrape or exfiltrate any data, because they merely demonstrated their ability to access the data in Jollibee’s database if they so desired,” the NPC order read.

In February this year, NPC said that the site remains to be vulnerable, that even those “with little to moderate technical knowledge and skill” could access personal information of Jollibee patrons through the website.

“Considering that smaller systems with more robust security measures have been exposed, there is a very high risk that approximately 18 million people currently on the database will be exposed to harm,” NPC said./vvp