NPC to probe Cebuana Lhuillier data breach

MANILA, Philippines — The National Privacy Commission (NPC) has initiated an investigation on the reported data breach affecting almost one million clients of pawnshop and money remittance service provider Cebuana Lhuillier.

Privacy commissioner Raymund Liboro said representatives of the company visited the NPC to seek assistance after it discovered a breach affecting the data of 900,000 clients.

“At the meeting, they committed to submit a more detailed report regarding the data breach. Cebuana Lhuillier informed us that it has engaged the services of a third-party information security provider to handle their mitigation and response to the incident,” said Liboro.

“We will await further details as to the scope and severity of the breach. Cebuana Lhuillier has 72 hours from discovery of a breach to report the same to the commission and affected data subjects. The data subject notification must be done individually and not further expose the data to more harm,” he added.

In a statement, Cebuana Lhuillier corporate communications head Richard Villaseran said the data breach affected the e-mail server used for marketing purposes.

While transaction details were not compromised, he said the incident exposed some personal information of clients, including their birthdays, addresses and sources of income.

“Upon discovery, we immediately coordinated with the NPC to investigate the matter and already implemented safety measures to protect the personal data of our clients. We also notified all affected clients and provided them guidance on how to further protect their personal information,” he said.

“We are committed to ensuring data privacy of our clients and adhere to strict security protocols in protecting our interests,” added Villaseran.

In an earlier notice to affected clients, Cebuana Lhuillier said they detected attempts to use one of the e-mail servers to send out spams to other domains.

Further investigation showed that unauthorized downloading of contact lists happened in August last year. 

Cebuana Lhuillier assured affected clients that remedial actions were taken to reduce the harm, including disconnecting the affected server from the network.