By Ma. Teresa Montemayor

Logo courtesy of Jollibee Foods Corporation

MANILA – The data breach affecting 11 million customers of Jollibee Foods Corporation could be part of a string of extortion or ransomware activities happening worldwide, the National Privacy Commission (NPC) said Wednesday.

“Sa aming pagsisiyasat, maari itong connected sa marami pong extortion activities na nangyayari ngayon sa buong mundo specifically ngayong Hunyo (In our investigation, this may be connected with the many extortion activities happening around the world specifically this June),” NPC Compliance and Monitoring Division chief Rainier Anthony Millanes said in a Bagong Pilipinas Ngayon interview.

Ransomware activities involve the use of malware that holds a sensitive data or device hostage belonging to a company or individual with the threat to keep it locked unless the victim pays ransom.

Citing that 165 companies globally are experiencing attacks on their data repositories, Millanes said it is possible that Jollibee is a client of the cloud computing service provider involved in the reported data breaches.

On June 22, the Jollibee Foods Corporation notified the NPC about the issue. Other brands affected by the data breach include Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya and Panda Express.

Sensitive personal information, including dates of birth and ID numbers of seniors citizens, have been compromised.

Millanes said Jollibee Foods Corporation has requested 20 more days to complete its internal investigation.

“Sa mga made-determine po ng Jollibee, bibigyan po nila kayo ng notification (Notification will be given to customers of Jollibee who will be identified as victims). That’s their obligation to notify individually data subjects affected,” he said.

“Obligasyon din po ng Jollibee na bigyan kayo ng assistance sa pagprotekta ng inyong data (It is also Jollibee’s obligation to provide assistance for your data protection),” he said.

To date, the NPC is investigating the case together with the Philippine National Police Cybercrime Division.

A cybercriminal with the handle name “spider” announced the Jollibee data breach over a popular dark website, Millanes said.

It is possible that the compromised data will be used for the proliferation of scam text messages or phishing links, he said.

Earlier this month, carmaker Toyota and real estate firm Robinsons Land have also reported data breaches.

Millanes reminded companies and organizations collecting personal information to monitor their privacy security mechanisms all the time and not only during instances of data breach.

He also advised Filipinos to regularly change account passwords and to practice multi-factor authentication for added protection since everyone is considered a data subject.

“Mas mabuti po na mag-enable na tayo sa lahat ng accounts natin ‘yung multi-factor authentication (It is best that we enable multi-factor authentication in all our accounts),” he said.

“Single factor authentication is almost two decades obsolete already,” he said. (PNA)