PHILIPPINES

Philippine Daily Inquirer-May 10

The National Privacy Commission (NPC) gave popular fast-food chain Jollibee Foods Corp. (JFC) 10 days to come up with a plan to rehabilitate the vulnerabilities in its website, which, if exploited, could expose the data of millions of patrons.

About 18 million people are at “high risk” of having their data exposed to harm, given that they are currently under Jollibee’s vulnerable online delivery database.

In response to this, NPC ordered a handful of measures to be implemented by the company, including the suspension of JFC’s online delivery system until the site’s vulnerabilities are addressed.

According to an NPC media advisory, the commission already sent JFC the official order on Tuesday afternoon, launching the 10-day countdown.  NPC told the popular fast-food chain to come up with a security plan within 10 days, which would “ensure the integrity and retention of the database and its content.”

On top of this, NPC also ordered JFC to “employ privacy by design” in reengineering JFC Group’s data infrastructure. Jollibee should also conduct a new privacy assessment, while filing a monthly progress report until the issues in the system are addressed.

When asked what kinds of personal information were accessed, Francis Euston Acero, who leads NPC’s Complaints and Investigations Division (CID), said that the government hid which data were at risk on purpose.

Nevertheless, he said it was the same as Wendy’s Philippines, another fast-food chain that faced similar privacy concern. The difference, however, is that Wendy’s had been breached, while JFC only has the potential to be hacked given the vulnerabilities.

“We withheld that information deliberately because giving that information would give potential attackers avenues in,” he said in a previous phone interview with the Inquirer.

JFC data protection officer J’Mabelard M. Gustilo first notified NPC about the risk in December last year, when then-unknown people were able to gain access to its delivery website.

Upon investigation, NPC’s Complaints and Investigation Division (CID) found out that this was a result of a proof-of-concept initiative by a marketing public relations team “who made representations to a domestic cybersecurity firm.”

CID later invited the cybersecurity firm, who said they noticed a “security gap” within the system.