Jollibee investigates alleged data leak on customer delivery records

The data leak would have led to the files of 32 million customers being put up for sale. And this isn't even the first time Jollibee's online systems have been hacked.

MANILA, Philippines – Jollibee Food Corporation (JFC) is investigating a possible data breach that allegedly exposed the delivery records of 32 million customers.

“We are dealing with a recently reported cybersecurity incident that is believed to impact our business, as well as other companies,” Jollibee Group said in its official statement sent to Rappler on Saturday (June 22).

“We take this matter seriously and have launched an investigation to better understand the scale of the incident.”

The fast food giant also said it was implementing “response protocols” and “enhanced security measures” to protect its data, as well as engaging authorities and experts.

“Our e-commerce platforms are unaffected and remain operational. Please be assured that we are continually strengthening our defenses against future threats and remain committed to our priority of protecting customer data,” the statement added.

The alleged data breach was first reported by Deep Web Konek on Thursday, June 20. The cybersecurity advocacy group said it detected an “alleged data leak from Jollibee Delivery for sale on forums for $40,000, consisting of 32 million customer records and 650 million transaction records, orders customers, customer information, food deliveries and service data.

The group also posted a screenshot of the forum post purportedly announcing the sale of the delivery dataset.

On Friday (June 21), the same group said the data breach also involved “sensitive information” of other Jollibee group companies, such as Chowking and Mang Inasal. Deep Web Konek also posted a screenshot that appeared to show information from a Mang Inasal employee.

Other brands under JFC include Greenwich, Red Ribbon, Burger King Philippines and Highlands Coffee. There have been no reports yet that their data was part of the leak.

This is not the first time JFC has faced controversy over its cybersecurity. In December 2017, JFC reported a data breach involving the customer database of Jollibee's delivery website. A few months later, in May 2018, the National Privacy Commission (NPC) suspended Jollibee's delivery website due to “serious vulnerabilities.” JFC also removed delivery sites for its other brands.

At the time, the NPC warned that the data of 18 million customers was at “very high risk” of being exposed. So far, the NPC has not commented on the latest data breach reported by JFC.

Besides the fast food giant, other major companies have recently suffered massive data breaches. On June 6, the NPC confirmed data breach reports regarding Toyota and Robinsons malls. A few weeks later, on June 18, the NPC also confirmed that it had received a data breach notification report for Maxicare Healthcare Corporation. – Rappler.com