The Bangko Sentral ng Pilipinas said Tuesday it is coordinating with Cebuana Lhuillier, one of the leading remittance companies, on the reported data breach of around 900,000 clients.
“The Bangko Sentral ng Pilipinas has recently been informed of a data breach incident involving Cebuana Lhuillier which affected personal information of about 900,000 clients,” the Bangko Sentral said in a statement.
“The BSP is closely monitoring the situation and coordinating with the concerned officers of CL to ensure timely remediation and that such exposed information will not be used for fraudulent transactions,” the regulator said.
Bangko Sentral Deputy Governor Chuchi Fonacier said at the sidelines of an event in Pasay City that the incident was “covered by BSP Circular 982, that pertains to information security and risk management of its covered financial institutions.”
Cebuana Lhuillier informed its clients by email that it detected unauthorized downloading in one of its email servers. Cebuana said around 900,000 clients’ personal information including name, birth date, email address, mobile number and in some cases, income information may have been exposed in the incident.
The policy-making Monetary Board of Bangko Sentral approved in October 2018 the amendments to existing regulations which tightened the reporting regime for its supervised financial institutions on cyber-related incidents and operational disruptions.
It said this was in response to the increasingly persistent, sophisticated and targeted attacks launched against financial institutions.
“Prompt reporting of these incidents by BSFIs will allow the Bangko Sentral to have an enhanced visibility on the changing IT risk landscape and to proactively ensure that their impact and resulting risks are minimized and contained to avert potential systemic risks to the financial system,” it said.
Fonacier said in the case of Cebuana the remittance firm reported the incident at once to the National Privacy Commission and to the Bangko Sentral.
Under the circular, BSFIs are now required to report major cyber-related incidents and disruptions of financial services and operations within two hours from discovery of the incident.
“This is necessary in view of the speed of exploitation, proliferation of attack tools and actors, and potentially massive extent of damage from cyber-related incidents. Having quick access to information on these incidents will enable the BSP to alert other banks, industry associations and other relevant stakeholders that may be affected by a specific attack,” the board said.
After the initial notification, the affected BSFIs are mandated to submit a follow-up report within 24 hours from the incident containing information such as the manner and time of initial detection, impact of the incident, and initial remedial response.
The BSP is tasked to closely monitor the situation, coordinate with the concerned BSFI, and undertake appropriate supervisory actions if warranted, until full resolution of the incident.
The new regulations are consistent with BSP Circular No. 982 on enhanced guidelines on information security management issued in 2017 which identified incident reporting as part and parcel of BSFIs’ incident management plans.