The National Privacy Commission of the Philippines (NPC) has ordered homegrown global fast food giant Jollibee to suspend online delivery operations following data vulnerabilities on its website.
According to an order notice issued by the NPC dated 4 May, Jollibee Foods Corporation (JFC) had notified the Commission in December 2017 that persons unknown to the company had been able to gain access to the customer database of its delivery website.
Following investigations, the Complaints and Investigation Division (CID) identified the breach to be a result of a proof-of-concept initiated by a marketing PR team of Jollibee, which had made representations to a cybersecurity firm. A member of the cybersecurity firm had, while conducting vulnerability testing for another client, noticed security gaps at the jollibeedelivery.com website. The firm said that it had, however, not exfiltrated any data even though it had the ability to, but had merely demonstrated its ability to access Jollibee’s database if desired.
Jollibee then proceeded to handle corrective measures internally and through third-party IT security providers, but it had treated the cybersecurity firm, in the context of the incident, as an uncontracted entity with no authority to infiltrate its IT infrastructure.
Jollibee had at a subsequent meeting admitted to the CID that its database protection was not up-to-date and that some data, which included personal information, was unencrypted.
“Although CID noted some improvements in protecting data privacy on the part of the JFC Group after the suspected breach, more consistent and collective efforts are needed to protect the data,” said the notice.
The company had acknowledged difficulty in effecting the needed data protection and security measures for various reasons such as budgetary constraints, low prioritisation or outright disinterest within the organisation. The CID then conducted its own vulnerability assessment on Jollibee’s website and found that it remains vulnerable to unauthorised access, which may allow malfeasants with little to moderate technical knowledge and skill to access the data of Jollibee patrons through the website. Approximately 18 million customers in the database are at risk.
Aside from suspension, Jollibee was ordered to submit a security plan to fix the system "to ensure the integrity and retention of the database."
It must also conduct a new Privacy Impact Assessment and file a monthly progress report "until the issues raised in this order are resolved."
Jollibee is not the only fast food chain which has come under fire from the NPC for data vulnerabilities. Wendy’s Philippines had also notified the NPC that its website had been breached and personal data of users may have been compromised in April 2018.
Following orders from the NPC, which found that over 82,000 records with personal details were exposed, Wendy’s has informed customers of the breach and shut down its website for the moment.
Wendy’s had admitted that earlier attempts of implementing security measures were foiled when information technology officers of the company resigned before any of the measures were implemented.
The NPC has ordered Wendy's to provide a copy of website logs prior to the breach, and conduct a new privacy impact assessment taking into account the vulnerabilities exposed in the data breach.