NPC orders Jollibee to suspend online delivery system over data vulnerabilities

MANILA, Philippines — The National Privacy Commission has ordered fastfood giant Jollibee to suspend its online ordering and delivery system over vulnerabilities on its website.

Jollibee said on its website that is "currently improving our delivery website to serve you better."

JUST IN: National Privacy Commission suspends Jollibee’s of online delivery service due to potential security risk for users. @PhilippineStar pic.twitter.com/34vVYJM2LN

— Janvic Mateo (@jvrmateoSTAR) May 8, 2018

The NPC's Legal Enforcement Office said in the order that the commission's Complaints and Investigation Division initiated a vulnerability assessment of Jollibee's website "and found that it remains vulnerable to unauthorized access."

The investigation was prompted by a data breach that Jollibee reported on December 12, 2017.

The CID, which investigated the breach, attributed the breach to a "a proof-of-concept initiated by a marketing PR team representative of Jollibee, who made representations to a domestic cybersecurity firm."

RELATED: Privacy body probes fastfood chain over data breach

In a meeting on December 21, one of the members of the firm said that they "merely demonstrated their ability to access the data in Jollibee's database."

The vulnerability was said to have been discovered while conducting testing on the website. The firm said it did not extract the data.

Jollibee Data Privacy Officer J'Mabelard Gustilo implemented corrective measures to address the vulnerability, but the NPC said in its order that vulnerabilities remained.

"Considering that smaller systems with more robust security measures have been exposed, there is a very high risk that approximately 18 million people currently on the database will be exposed to harm," NPC said.

Aside from suspension, Jollibee has been ordered to submit within 10 days a security plan to fix the system "to ensure the integrity and retention of the database."

It must also conduct a new Privacy Impact Assessment and file a monthly progress report "until the issues raised in this order are resolved."

Wendy's, another fastfood restaurant that the NPC has been investigating over another data breach, told customers of the breach and said in text messages that personal data provided in the website, including names, contact information and credit card details "may have been compromised."

It also said that the website has been shut down and that it is working with the NPC, its website host and its payment gateway "for immediate action to prevent damage to our data subjects."