Privacy body starts probe into Cebuana Lhuillier data breach
MANILA, Philippines — The National Privacy Commission on Saturday said it started a probe into a data breach that hit pawnshop chain Cebuana Lhuillier and affected personal information of around 900,000 clients.
In a statement, the NPC said representatives from Cebuana Lhuillier went to the commission last January 18 to seek assistance on a data breach involving their email server.
At the meeting, the micro-financial company committed to submit a “more detailed report” on the incident and informed authorities it hired a third party information security service provider to handle the “mitigation and response” to the breach.
“We await further details as to scope and severity of the breach,” the NPC said.
“Cebuana Lhuillier has 72 hours from discovery of a data breach to report the same to the Commission and affected data subjects. The data subject notification must be done individually, and not further expose the data subject to more harm,” it added.
In a separate statement, the parent company of Cebuana Lhuillier said its email server used for “marketing purposes” was hit by the breach.
Compromised information included customers’ birthdays, addresses and source of income, the company disclosed.
Transaction details and the company’s main servers “remain safe and protected,” Cebuana Lhuillier said, adding that it immediately reported the incident to the NPC and notified all the affected clients.
“We are committed to ensuring the data privacy of our clients and adhere to strict security protocols in protecting our interests,” the company said.
“We will provide additional information regarding the incident as soon as it becomes available,” it added.
Cebuana Lhuillier is one of the leading and largest non-bank financial services providers in the Philippines with close to 2,500 branches nationwide. — Ian Nicolas Cigaral
- Latest
- Trending