11M Jollibee customers affected by data breach

11M Jollibee customers affected by data breach

THE National Privacy Commission (NPC) on Monday reported that it had been notified by fast food giant Jollibee Foods Corp. (JFC) of a data breach affecting some 11 million customers.

Information includings as dates of birth and senior citizen identification card numbers were compromised during a June 22 security incident, the agency said.

"Approximately 11 million data subjects are affected, the majority of whom are Jollibee customers," the NPC said.

"Other impacted brands include Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express."

By law, companies and individuals processing personal data must notify the NPC and individual affected subjects within 72 hours of discovering a breach.

JFC was said to have requested 20 days to complete its internal investigation.

"The company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the company's and its subsidiaries' data against threats," it told the stock exchange on Monday.

"The company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation," it added.

JFC said that its e-commerce platforms, including those of its subsidiaries' brands, were unaffected by the incident and remained operational.

"JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders," it said in the disclosure.

"The company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats," it added.

The JFC data breach is the latest to be reported to the NPC.

Last week, health care firm Maxicare said the personal data of some 13,000 customers that had used the booking platform of a third-party service provider were compromised in a June 13 incident.

The affected customers comprised less than one percent of its members and the leaked data did not include sensitive medical information, Maxicare claimed.

On June 6, meanwhile, the NPC responded to reports of data breaches at Toyota Motor Philippines Corp. (TMP), Robinsons Malls and membership shopping club S&R by confirming that it had received notifications from the automaker and Robinsons Land Corp.

"Robinsons Land notified us of a data breach on June 1, 2024. Additionally, Toyota notified us of a breach on May 14, 2024," the NPC said.

S&R, previously reported to have experienced a data breach in 2021, did not issue a notification or release a statement.

The NPC also said that the Philippine National Police had reported six data breach notifications in May 2024.

Robinsons Land, which is also a listed firm like JFC, did not notify the stock exchange. TMP, meanwhile, later issued an advisory saying that the data breach was due to "an unintentional human error."

The Department of Trade and Industry on Monday said it would be looking into the data breaches and further enforcement action under the Data Privacy Act.

Trade Assistant Secretary Amanda Nograles, who is responsible for consumer protection at the department, said "that's personal information that's being leaked by the processor, which is the company, so we can see how we can raise that as a complaint."

JFC shares were unaffected by the data breach report, closing P7, or 3.32 percent, higher at P218 apiece on Monday amid a 1.85-percent rise for the benchmark Philippine Stock Exchange index.