The National Privacy Commission (NPC) on Saturday said it was investigating a data breach that affected about 900,000 clients of Cebuana Lhuillier, the country’s largest nonbank financial services provider.
The extent of the damage has not been determined, according to the NPC, but PJ Lhuillier Inc. (PJLI), the parent company of Cebuana Lhuillier, maintains that the breach did not compromise transaction details.
The company, however, has admitted that the data breach affected clients’ addresses, among other information.
“We recently discovered a data breach, which affected our e-mail server that is used for marketing purposes. Information of around 900,000 clients was affected. Some of these information included birthdays, addresses and source of income,” PJLI said.
‘Main servers safe’
Cebuana specializes in financial services such as pawning, remittance and microinsurance. It has close to 2,500 branches nationwide, according to its website.
How the controversy will affect the company is still unclear, especially given how Filipinos — many of whom do not have any bank accounts — have depended on Cebuana’s services to send and receive money here and abroad.
“Transaction details or information were not compromised. The company’s main servers remain safe and protected,” PJLI said.
Cebuana did not say when exactly it discovered the data breach, although company representatives had sought the NPC’s assistance on the issue on Friday last week.
The company had 72 hours from the time the data breach was discovered to report the matter to the NPC and the affected data subjects, according to Privacy Commissioner Raymund Liboro.
PJLI said Cebuana officials coordinated with the NPC “upon discovery” of the data breach and immediately implemented safety measures to protect the personal data of its clients.
Customers informed
The company also said it had already informed all affected clients about the breach.
Liboro said that during a meeting with Cebuana officials on Friday, the company “committed to submit a more detailed report” on the data breach.
“Cebuana informed us that it has engaged the services of a third-party information security service provider to handle their mitigation and response to this incident,” Liboro said.
“This incident is now under investigation,” he added.