Diversified financial services firm Cebuana Lhuillier, known for its remittance services, suffered a nationwide data breach, which puts to risk all the personal data of the company’s 900,000 customers.
Cebuana Lhuillier’s Data Privacy Officer sent a “notice” to all its clients via email, informing them of the data breach yesterday morning.
Richard Villaseran, AVP for Corporate Communications, said that the data breach exposed the personal information of around 900,000 of its clients. Some of these information included birthdays, addresses, and sources of income.
Data at stake also include email addresses and mobile numbers.
National Privacy Commissioner Raymund Enriquez Liboro said the incident is now under investigation.
The data privacy watchdog has also given Cebuana Lhuiller 72 hours from discovery of a data breach to report the same to the Commission and affected data subjects.
“The data subject notification must be done individually, and not further expose the data subject to more harm,” Liboro stressed.
According to Liboro, Cebuana Lhuillier representatives reported Friday to the NPC seeking assistance regarding a data breach involving their email server.
“Cebuana Lhuiller informed us that it has engaged the services of a third party information security service provider to handle their mitigation and response to this incident. We await further details as to scope and severity of the breach,” said Liboro.
“We are writing to inform you of a security incident which may have affected your personal data stored in one of our email marketing tool servers,” the company told its customers.
The company said it detected on Jan. 15 attempts to use one of its email servers as a relay to send out spam to other domains.
“Upon discovery, remedial actions were taken to reduce the harm. The server was immediately disconnected
from the network after confirmation of breach,” it added. (Madelaine Miraflor)