Jollibee data breach may affect almost 11 million customers

MANILA, Philippines — The National Privacy Commission (NPC) said the data breach that hit homegrown multinational Filipino fast-food giant Jollibee, listed as Jollibee Foods Corp. (JFC), is suspected to have affected or compromised the personal data of about 11 million customers of all the restaurant brands under the conglomerate.

Rainier Anthony Milanes, chief of the NPC’s compliance and monitoring division, said that with the breach report submitted last Saturday afternoon affecting almost 11 million customers, the case was considered a major breach.

The breach, he said, affected the “data lake” of JFC, where personal data of the customers of all the restaurant brands under the Jollibee Group were compromised.

“When you say it’s the ‘data lake,’ all kinds of data are there. It could be structured or unstructured (data),” he told The STAR in a Viber chat interview yesterday.

The restaurants affected by the data breach are Jollibee, Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya and Panda Express, as reported by Roren Marie Chin, chief of the NPC’s public information and assistance division.

She added that the compromised information include dates of birth and senior citizen ID numbers. Milanes said JFC’s employee data might have also been compromised.

Milanes said JFC was registered with the NPC as a personal information controller (PIC) and personal information processor (PIP). The Data Privacy Act of 2012 mandates registration of private entities that handle more than 1,000 individuals’ personal information as a PIC or PIP.

“Jollibee Foods Corp. has requested additional 20 days to complete its internal investigation,” Chin said.

Meanwhile, JFC said it has submitted the necessary notification to the NPC on the cybersecurity incident.

They have reiterated in a stock exchange filing yesterday that they are currently addressing the incident as they implement response protocols and deploy enhanced security measures.

These steps are aimed to further protect the company’s and its subsidiaries’ data against threats.

Over the weekend, the Jollibee Group said it has also launched its investigation on the matter to understand the scope of the incident.

The company, however, maintained that its e-commerce platforms and those of its subsidiary brands are unaffected by the incident and remain operational.

JFC assured the public that it continues to monitor and update its security measures as appropriate under the circumstances and as may be required by the results of its investigation into the matter.