JFC shuts delivery websites due to vulnerabilities

Font Size

“We look forward to tapping into JFC’s market expertise to grow the Panda Express brand into a household name in the Philippines," said Panda Express Co-Founder Andrew Cherng

JOLLIBEE Foods Corp. (JFC) on Wednesday took down the delivery websites of its flagship brand, as well as Chowking, Red Ribbon and Greenwich, after the National Privacy Commission (NPC) flagged security vulnerabilities of its online platform.

The NPC on Tuesday ordered JFC to indefinitely suspend the operations of and other online processing operations due to identified vulnerabilities in the restaurant chain’s website.

In a statement on Wednesday, JFC said it is conducting its own investigation and security checks on its system.

“With this, we will be able to facilitate faster online delivery system improvements and update security measures that will further strengthen data protection. We assure the public that safeguarding the confidentiality of our customers’ personal data remains JFC’s priority,” it said.

Francis Euston R. Acero, division chief of the NPC’s complaints and investigations division (CID), clarified that JFC did not suffer a data breach. However, he said certain individuals were able to prove it was possible to access data on the Jollibee delivery website.

“They were only able to demonstrate that it was possible. There was no data breach at all,” Mr. Acero said in a phone interview.

The NPC had also ordered JFC to restrict external access to its networks for an indefinite time “until the site’s identified vulnerabilities are addressed, as validated by a duly certified penetration testing methodology.”

NPC said that vulnerabilities in the Jollibee delivery website imply a “very high risk” that approximately 18 million people currently on the database may be exposed to harm.

JFC was directed to submit a security plan to the NPC, as well as employ “privacy by design”; conduct a new privacy impact assessment; and file a monthly progress report.

The order comes after a notification by JFC Group data privacy officer J’Mabelard M. Gustilo that on Dec. 8, 2017, persons unknown to the JFC Group “appeared to have been able to gain access to the customer database of the delivery website for Jollibee.”

CID identified the incident to be a result of a proof-of-concept done by the company’s marketing public relations team representative, who then approached a cybersecurity firm.

In the same month, the CID invited the firm to a meeting wherein one of its members said that he noticed a security gap in the Jollibee delivery website.

“While their group was able to exploit the vulnerabilities, their firm insisted that they did not scrape or exfiltrate any data, because they merely demonstrated their ability to access the data in Jollibee’s database if they so desired,” the NPC order read.

Mr. Gustilo then tapped third party providers to correct the gaps but flagged the cybersecurity firm as responsible for the breach.

He also admitted to the CID that the website’s database protection was not up to date, and that some data, including personal information, were unencrypted.

“Following these meetings, on 20 February 2018, the CID began conducting its own vulnerability assessment of Jollibee’s website and found that it remains vulnerable to unauthorized access. Such vulnerabilities may allow malefactors with little to moderate technical knowledge and skill to access personal information of Jollibee patrons through its website,” the order read.

Also last week, NPC ordered Wenphil Corp., operator of Wendy’s Philippines, to notify persons affected in the breach and wholesale leak of its database last April 23.

The NPC said that an estimated 82,150 records were exposed in the incident, wherein unknown individuals published online a database from the Wendy’s website. — Patrizia Paola C. Marcelo