Data privacy of Jollibee customers at risk | Inquirer Business

Data privacy of Jollibee customers at risk

/ 05:16 AM May 10, 2018

The National Privacy Commission (NPC) gave popular fast-food chain Jollibee Foods Corp. (JFC) 10 days to come up with a plan to rehabilitate the vulnerabilities in its website, which, if exploited, could expose the data of millions of patrons.

About 18 million people are at “high risk” of having their data exposed to harm, given that they are currently under Jollibee’s vulnerable online delivery database.

In response to this, NPC ordered a handful of measures to be implemented by the company, including the suspension of JFC’s online delivery system until the site’s vulnerabilities are addressed.

Article continues after this advertisement

According to an NPC media advisory, the commission already sent JFC the official order on Tuesday afternoon, launching the 10-day countdown.

FEATURED STORIES

NPC told the popular fast-food chain to come up with a security plan within 10 days, which would “ensure the integrity and retention of the database and its content.”

On top of this, NPC also ordered JFC to “employ privacy by design” in reengineering JFC Group’s data infrastructure. Jollibee should also conduct a new privacy assessment, while filing a monthly progress report until the issues in the system are addressed.

Article continues after this advertisement

When asked what kinds of personal information were accessed, Francis Euston Acero, who leads NPC’s Complaints and Investigations Division (CID), said that the government hid which data were at risk on purpose.

Article continues after this advertisement

Nevertheless, he said it was the same as Wendy’s Philippines, another fast-food chain that faced similar privacy concern. The difference, however, is that Wendy’s had been breached, while JFC only has the potential to be hacked given the vulnerabilities.

Article continues after this advertisement

“We withheld that information deliberately because giving that information would give potential attackers avenues in,” he said in a previous phone interview with the Inquirer.

JFC data protection officer J’Mabelard M. Gustilo first notified NPC about the risk in December last year, when then-unknown people were able to gain access to its delivery website.

Article continues after this advertisement

Upon investigation, NPC’s Complaints and Investigation Division (CID) found out that this was a result of a proof-of-concept initiative by a marketing public relations team “who made representations to a domestic cybersecurity firm.”

CID later invited the cybersecurity firm, who said they noticed a “security gap” within the system.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

TAGS: Data privacy, Hacking, Jollibee Foods Corp. JFC, National Privacy Commission (NPC)

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.