THE CENTRAL bank said it is looking into the data breach which hit Cebuana Lhuillier, with an official pointing out that pawnshop firms are mandated to keep tight cybersecurity protocols in place.
Bangko Sentral ng Pilipinas (BSP) Deputy Governor Chuchi G. Fonacier told reporters that officials of Cebuana Lhuillier (CL) informed the regulator “over the weekend” about the data leak, which is said to have affected roughly 900,000 customers.
Cebuana Lhuillier said over the weekend that a breach was detected in an e-mail server used “for marketing purposes,” which included clients’ personal data such as birthdays, addresses, and source of income.
The pawnshop, which has a network of close to 2,500 branches in the Philippines, said its main servers were not affected and transaction details are safe.
“The BSP is closely monitoring the situation and coordinating with the concerned officers of CL to ensure timely remediation and that such exposed information will not be used for fraudulent transactions,” the central bank said in the statement issued late Monday.
Ms. Fonacier said the case falls under a circular which places cybersecurity as a board-level concern among financial firms.
Issued in November 2017, BSP Circular 982 requires all financial players to set up internal systems to identify and counter a wide array of digital attacks through an information security program “commensurate” to the complexity of a firm’s reliance on digital tools.
Last year, the central bank also implemented new rules requiring supervised firms to report digital breaches and cyber-attacks within two hours from discovery, while a more detailed report should follow the next day.
Ms. Fonacier said managing information security risks should be the concern of top management for banks as well as non-bank financial institutions providing services to the public.
Apart from the BSP, the National Privacy Commission is also investigating the Cebuana Lhuillier data breach.
Meanwhile, the Department of Information and Communications Technology (DICT) is preparing guidelines for the implementation of the National CyberSecurity Plan (NCSP) as it acknowledged the recent rise in cyber threats.
“The MCs (memorandum circulars) are already there. But the monitoring, the guidelines will be soon to follow,” DICT Assistant Secretary for Cybersecurity Allan S. Cabanlong said in a briefing on Tuesday.
The NCSP identified 12 critical information infrastructure or “infostructure” as the government; land, sea, and air transportation; energy; water; health; emergency services; banking and finance; business process outsourcing (BPO); telecommunications; and media sectors.
“Our appeal to the 12 critical infostructure is to fast-track their identification of (points of contact) so that we can streamline processes in the National Cyber-Intelligence Platform… (They) should be ready by this year. The attacks are becoming more sophisticated every second, every minute, every hour of the day. So we need to be adaptive, we need to be proactive,” Mr. Cabanlong added.
The DICT is currently developing a cybersecurity management system with concessionaire Integrated Computer Systems, Inc. (ICS) and Israel-based Verint Systems, Inc. The centralized monitoring system is expected to be completed within 10 and a half months, but Mr. Cabanlong said they are requesting ICS-Verint to expedite the process.
“The contract is 10.5 months starting the kickoff. But we are requesting ICS if they can deliver the VAPT (vulnerability assessment and penetration testing) tool and the web intelligence before 10.5 months, maybe next month, so that we can use it already. Why? Because of these attacks,” he said.
Over the weekend, the DICT detected malware on a downloadable file from the Securities and Exchange Commission (SEC) website. The attack has been contained, but the vulnerability assessment is still ongoing.
Mr. Cabanlong said the SEC attack only shows the heightened need for the government to improve its defenses against cyber threats.
He said the DICT plans to propose a law creating a separate agency focusing on cybersecurity.
“We are proposing a law that would separate the cybersecurity bureau to the department, maging line agency na siya [to become a line agency]. It will become a Cybersecurity Agency of the Philippines. Pero ginagawa pa lang namin [But we’re still working on it],” Mr. Cabanlong said. — Melissa Luz T. Lopez and Denise A. Valdez