Barely a week after the alleged data breach involving passport data, it’s now Cebuana Lhuillier with an announcement of a data breach affecting 900,000 customers.
In an email to newsletter subscribers, Cebuana Lhuillier wrote: “We are writing to inform you of a security incident which may have affected your personal data stored in one of our email marketing tool servers. On January 15, 2019, we detected attempts to use one of our email servers as a relay to send out spam to other domains. Follow-up investigation resulted in the discovery of unauthorized downloading of contact lists used as recipients for email campaigns. These unauthorized downloads took place on August 5, 8, and 12, 2018.”
The company also said that it has taken preventive measures to mitigate the risks to affected customers. “Upon discovery, remedial actions were taken to reduce the harm. The server was immediately disconnected from the network after confirmation of breach. The incident was likewise reported to the National Privacy Commission,” the email continued.
In a separate official statement, the P.J. Lhuillier Group of Companies revealed that around 900,000 clients were affected. Data that was leaked during the breach included birthdays, addresses, and source of income.
“Transaction details or information were not compromised. The company’s main servers remain safe and protected,” the company added.
Although no transaction records were leaked, Cebuana Lhuillier still advises its customers to change their passwords and avoid using the same password on different websites. If you think you’re affected by this data breach, you can contact Cebuana Lhuillier’s Data Protection Officer by email at [email protected] or calling 09188122737 or 09178122737.
Meanwhile, the National Privacy Commission has launched an investigation of the Cebuana Lhuillier data breach. NPC Commissioner Raymund E. Liboro met with representatives of Cebuana Lhuillier who sought assistance regarding the data breach.
“At the meeting, they committed to submit a more detailed report regarding the data breach. Cebuana Lhuiller informed us that it has engaged the services of a third-party information security service provider to handle their mitigation and response to this incident,” Liboro said.
The NPC said that Cebuana Lhuillier has up to 72 hours from the discovery of the breach to report the details and the affected data subjects to the commission.
Cebuana Lhuillier is one of the Philippines’ largest non-bank financial services provider with interests in pawning, remittance and microinsurance. The company operates more than 2,500 branches all over the country.