Media giant ABS-CBN Corp. said it temporarily shut down two online stores that were the targets of a data breach that may have exposed the personal and financial information of over 200 customers.
ABS-CBN said in a statement that the incidents involving ABS-CBN Store (store.abs-cbn.com) and the UAAP Store (uaapstore.com) were isolated and did not affect its other digital properties.
The websites were shut down at 9:30 a.m. on Wednesday.
“Personal information and credit card details of our customers may have been exposed. As of this time, there are 213 customers who may have been affected,” ABS-CBN said in its statement.
ABS-CBN, which said it was cooperating with the National Privacy Commission, added that an investigation was underway.
The issue was earlier reported by Willem de Groot, an Amsterdam, Netherlands-based security consultant and researcher.
In a Sept. 18 post on his personal blog, De Groot said criminals had been running the payment skimmer on ABS-CBN’s online store since at least Aug. 16 this year.
He said the method, which defeats the security of encrypted connections, allows the perpetrators to intercept the personal and credit card data of customers during the checkout process.
He added that the stolen data were sent to a server registered in Irkutsk, Russia, after which these would be presumably sold on the black market. Other big companies that fell victim to credit card theft include British Airways and Ticketmaster, he said.
ABS-CBN on Wednesday asked its customers to exercise added caution in the meantime.
“We have started reaching out to all our affected customers. We also advise our customers not to give out additional personal and financial information to anyone who may be claiming to be an ABS-CBN representative,” ABS-CBN said. It said customers can send their queries to ABS-CBNStore@abs-cbn.com.
In a statement, Privacy Commissioner Raymond Enriquez Liboro said the agency was informed of the breach and that it was closely monitoring the situation.
“We expect ABS-CBN’s DPO [data protection officer] to act in accordance with breach management standards set forth by the Commission, and fully set in motion its breach response protocols,” Liboro said in a statement.