The National Privacy Commission (NPC) has ordered Jollibee Foods Corporation (JFC) to suspend its online food delivery operations and implement preventive website security measures after a data breach incident last December exposed Jollibee’s customer database.
In a commission order dated May 4 and issued by NPC’s Legal and Enforcement Office, the NPC said Jollibee’s data privacy officer informed the Commission that on December 8, 2017, “persons unknown to the JFC Group appeared to have been able to gain access to the customer database of the delivery website for Jollibee.”
The Commission’s Complaints and Investigation Division (CID) identified the breach to be “a result of a proof-of-concept initiated by a marketing PR team representative of Jollibee, who made representations to a domestic cybersecurity firm.”
The NPC-CID said that after conducting its own vulnerability assessment of Jollibee’s website, it found that the website remains vulnerable to unauthorized access.
“Such vulnerabilities may allow malefactors with little to moderate technical knowledge and skill to access personal information of Jollibee patrons through its website,” the NPC said.
In order to protect personal data of those using the Jollibee delivery service, the NPC ordered JFC Group to “suspend forthwith the operations of and all other data processing open to the public through the internet…for an indefinite time until the site’s identified vulnerabilities are addressed, as validated by a duly certified penetration testing methodology.”
It also ordered JFC to submit a security plan and file a monthly progress report until the issues raised in the said order are resolved.