Privacy commission orders Jollibee to suspend online delivery services over data breach

The National Privacy Commission (NPC) on Tuesday ordered fast-food giant Jollibee Foods Corp. to suspend its online delivery platform indefinitely due to a data breach reported by the company in December last year.

The NPC ordered Jollibee to suspend the operations jollibeedelivery.com and all other data processing open to the public through the internet and restrict external access to their networks, for an indefinite time until the site’s identified vulnerabilities are addressed, as validated by a duly certified penetration testing methodology.

The order came after the privacy watchdog conducted an investigation and a series of meetings with officials of the fast-food company in relation to a data breach report submitted by Jollibee on December 12, 2017.

Jollibee has yet to respond to inquiries as regards their comment on the commission's order.

READ: Nat'l Privacy Commission orders Jollibee to suspend https://t.co/rlkj5YhmeY amid data breach | via @Ted_Cordero pic.twitter.com/mknAZaSTks

— GMA News (@gmanews) May 8, 2018

The NPC said Jollibee notified the agency that on December 8, 2017, persons unknown to the company appeared to have been able to gain access to the customer database of its delivery website.

"In the course of the investigation, the Complaints and Investigation Division (CID) identified the breach to be a result of a proof-of-concept initiated by a marketing PR team representative of Jollibee, who made representations to a domestic cybersecurity firm," the NPC said.

The NPC said its CIS invited said cybersecurity firm to a meeting, wherein one of its members narrated that while conducting vulnerability testing for another client, noticed a security gap in the jollibeedelivery.com website.

"While their group was able to exploit the vulnerabilities, their firm insisted that they did not scrape or exfiltrate any data, because they merely demonstrated their ability to access the data in Jollibee’s database if they so desired," the privacy watchdog said.

Shortly after the breach, Jollibee made corrective measures internally and through its third party IT security providers.

Jollibee's data protection officer J’Mabelard Gustilo said that the company treated the cybersecurity firm responsible for the breach as an uncontracted entity or stranger who had no authority to infiltrate their IT infrastructure, according to the NPC.

"In a later meeting, Gustilo admitted to the CID that the database protection was not up to date, and some data, including personal information, were unencrypted," it said.

"Although CID noted some improvements in protecting data privacy on the part of the Jollibee Foods Corp. Group after the suspected breach, more consistent and effective efforts are needed to protect the data. As DPO, Gustilo acknowledged difficulty in effecting the needed data protection and security measures for various reasons, such as budgetary constraints, low prioritization or outright disinterest within the organization," it added.

Following the meetings, the NPC said its CID on February 20 began conducting its own vulnerability assessment of Jollibee’s website and found that it remains vulnerable to unauthorized access.

"Such vulnerabilities may allow malefactors with little to moderate technical knowledge and skill to access personal information of Jollibee patrons through its website," it said.

"Considering that smaller systems with more robust security measures have been exposed, there is a very high risk that approximately 18 million people currently on the database will be exposed to harm," it added.

The NPC also said that since these vulnerabilities were made known to Jollibee for quite some time, and that their online properties remain vulnerable, urgent action is necessary to protect the personal data of those using the company's delivery service.

Apart from suspending its online delivery platform, Jollibee was also ordered to submit a security plan to be implemented in rehabilitating said system to ensure the integrity and retention of the database and its content within 10 calendar days.

The NPC ordered the fast-food company to employ Privacy by Design in the reengineering of its data infrastructure and conduct a new Privacy Impact Assessment, considering the vulnerabilities exposed in the Commission’s penetration tests and in subsequent penetration tests ordered in the next preceding section.

The privacy watchdog also directed Jollibee to file a monthly progress report on the matter until the issues raised are resolved.

Temporarily offline

In a Tuesday evening statement,  Jollibee Foods Corp. said it had temporarily taken the Jollibee delivery website offline "in compliance with the NPC order."

"We are currently addressing the issues the National Privacy Commission (NPC) has outlined, and we are closely coordinating with them on this," read the statement.

Additionally, the company also took down delivery websites of its other brands "as an added precaution," except for Burger King which the company said was on a different platform.

"With this, we will be able to facilitate faster online delivery system improvements and update security measures that will further strengthen data protection," it said.

The fast-food giant also said it would conduct its own investigation and would perform its own security checks on its system.

"We assure the public that safeguarding the confidentiality of our customers’ personal data remains Jollibee Foods Corporation’s priority," the statement read. — Margaret Claire Layug/NB/DVM, GMA News