NPC probes Cebuana Lhuillier data breach affecting 900K clients | Inquirer Business

NPC probes Cebuana Lhuillier data breach affecting 900K clients

/ 05:32 AM January 20, 2019

The National Privacy Commission (NPC) on Saturday said it was investigating a data breach that affected about 900,000 clients of Cebuana Lhuillier, the country’s largest nonbank financial services provider.

The extent of the damage has not been determined, according to the NPC, but PJ Lhuillier Inc. (PJLI), the parent company of Cebuana Lhuillier, maintains that the breach did not compromise transaction details.


The company, however, has admitted that the data breach affected clients’ addresses, among other information.

“We recently discovered a data breach, which affected our e-mail server that is used for marketing purposes. Information of around 900,000 clients was affected. Some of these information included birthdays, addresses and source of income,” PJLI said.


‘Main servers safe’

Cebuana specializes in financial services such as pawning, remittance and microinsurance. It has close to 2,500 branches nationwide, according to its website.

How the controversy will affect the company is still unclear, especially given how Filipinos — many of whom do not have any bank accounts — have depended on Cebuana’s services to send and receive money here and abroad.

“Transaction details or information were not compromised. The company’s main servers remain safe and protected,” PJLI said.

Cebuana did not say when exactly it discovered the data breach, although company representatives had sought the NPC’s assistance on the issue on Friday last week.

The company had 72 hours from the time the data breach was discovered to report the matter to the NPC and the affected data subjects, according to Privacy Commissioner Raymund Liboro.

PJLI said Cebuana officials coordinated with the NPC “upon discovery” of the data breach and immediately implemented safety measures to protect the personal data of its clients.


Customers informed

The company also said it had already informed all affected clients about the breach.

Liboro said that during a meeting with Cebuana officials on Friday, the company “committed to submit a more detailed report” on the data breach.

“Cebuana informed us that it has engaged the services of a third-party information security service provider to handle their mitigation and response to this incident,” Liboro said.

“This incident is now under investigation,” he added.

Read Next
Don't miss out on the latest news and information.

Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.

TAGS: Cebuana Lhuillier data breach, National Privacy Commission
For feedback, complaints, or inquiries, contact us.

Curated business news

By providing an email address. I agree to the Terms of Use and
acknowledge that I have read the Privacy Policy.

© Copyright 1997-2021 | All Rights Reserved

We use cookies to ensure you get the best experience on our website. By continuing, you are agreeing to our use of cookies. To find out more, please click this link.