Jollibee hit with data breach anew

Image courtesy of Elmer B Domingo (licenced under CC-BY 4.0/cropped from original)

Another personal data breach has struck Philippine fast food giant Jollibee Foods Corporation (JFC) and several of its subsidiaries, the company reported in a June 22 bourse filing.

“The company is addressing the incident, has implemented its response protocols, and deployed enhanced security measures to further protect the company’s and its subsidiaries’ data against threats. The company has also launched its investigation into the matter to understand the scope of this incident and is currently working with the relevant authorities and experts in its investigation,” the statement read.

Scope of the breach and response

While JFC did not detail the scope of the attack, the country’s data privacy watchdog, National Privacy Commission (NPC), said, “Approximately 11 million data subjects are affected, the majority of whom are Jollibee customers. Other impacted brands include Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express.”

Meanwhile, JFC confirmed that its e-commerce platforms and those of its subsidiaries were unaffected by the cyberattack.

“JFC recognises the value and importance of the confidentiality of personal information of its stakeholders. The company assures the public of its commitment to prioritising the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defences against future threats,” the company said.

“Data breaches are becoming far too common in recent weeks. Fortunately, in this case, only customer emails were compromised and not private information. While the addresses may already be known publicly, this would allow an attacker to craft targeted phishing campaigns about this brand to elicit the targets to perform an action like resetting a password on a malicious landing page resembling the official one. Customers should be diligent of any emails requesting immediate action as that is a warning sign of an attack,” Thomas Richards, Principal Security Consultant, Synopsys Software Integrity Group, said.

In 2018, the NPC ordered Jollibee to shut down its online delivery platform after it was hit with a personal data breach.