Advertisement

BSP says Cebuana Lhuillier data breach ‘contained’

Font Size

BSP
BW FILE PHOTO

By Melissa Luz T. Lopez
Senior Reporter

THE DATA BREACH involving Cebuana Lhuillier (CL) appears to be “contained,” a central bank official said, amid investigations into the leak that affected around 900,000 customers.

“More or less it’s contained, and to clarify, it’s nonfinancial [data],” Dindo R. Santos, director of the Bangko Sentral ng Pilipinas (BSP) Financial Supervision Department IX, said in an interview.

Mr. Santos, who heads the unit overseeing nonbank financial firms, said they have been informed by Cebuana Lhuillier after discovering the data leak last Jan. 18. The regulator has been coordinating with company authorities since last Monday.

The pawnshop under the PJ Lhuillier Group of Companies has disclosed that they detected a breach in their e-mail server used “for marketing purposes,” which compromised personal data of their clients like birthdays, addresses, and source of income.

However, the firm said that their main servers were not affected and transaction details are safe.




Mr. Santos said the pawnshop complied with a new rule introduced by the BSP requiring all supervised financial firms to report any cyber-attacks or data breach cases within two hours upon discovery, followed by a more detailed report the next day.

“The BSP is closely monitoring the situation and coordinating with the concerned officers of CL to ensure timely remediation and that such exposed information will not be used for fraudulent transactions,” the central bank said in the statement issued on Jan. 21.

Cebuana Lhuillier provides pawning, remittance, microinsurance and microloans to the public, with a network of close to 2,500 branches in the Philippines.

Apart from the BSP, the National Privacy Commission is also investigating Cebuana Lhuillier’s data breach.

“The BSP will conduct an investigation,” Mr. Santos said.

“On the part of the institution, they should have some actions taken on how to prevent the recurrence of the incident. On our part, we’ll continue monitoring.”

Cybersecurity has been assigned as a board-level concern, with all financial firms required to put up internal systems and an information security program “commensurate” to the complexity of their reliance to digital tools for their operations.