Non-bank financial services provider Cebuana Lhuillier Pawnshop has reported a data breach that may have affected 900,000 clients and sought the assistance of the National Privacy Commission.
The pawnshop chain, which has about 2,500 branches nationwide, was given 72 hours from the discovery of the data breach to report to the commission the scope and severity of the breach.
NPC Commissioner Raymund Liboro, in an official statement on Saturday, January 19, said Cebuana Lhuillier reported the data breach involving their email server on January 18. An investigation has been launched into the incident.
“Cebuana Lhuiller informed us that it has engaged the services of a third party information security service provider to handle their mitigation and response to this incident. We await further details as to scope and severity of the breach,” Liboro stated.
The Bangko Sentral ng Pilipinas (BSP), in a statement, said it was closely monitoring the situation and coordinating with Cebuana Lhuillier to ensure that the exposed information will not be used for fraudulent transactions.
The National Computer Emergency Response Team (CERT-PH) is conducting its own separate investigation.
Cebuana Lhuillier is a unit of PJ Lhuillier, Inc., which is engaged in pawning, remittance services, micro-insurance and business-to-business micro loan solutions.
The National Privacy Commission, an attached agency of the Department of Information and Communications Technology (DICT), is mandated to administer and implement the Data Privacy Act of 2012 and to monitor and ensure compliance of the country with international standards set for data protection. (Ventures Cebu)