Fast-food conglomerate Jollibee Foods Corp. (JFC) reported a data breach that compromised the personal information of some 11 million customers.
The National Privacy Commission (NPC) confirmed the breach Monday after Jollibee notified them of the incident on June 22, 2024. It said the unauthorized access targeted Jollibee’s data lake, a central repository holding information for all its brands including Jollibee, Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya and Panda Express.
Sensitive data like dates of birth and senior citizen ID numbers were reportedly compromised, raising concerns about potential identity theft and scams.
JFC said in a disclosure to the stock exchange said it submitted the necessary notification to the NPC.
“The company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the company’s and its subsidiaries’ data against threats. The company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the company said.
JFC said its e-commerce platforms and those of its subsidiaries’ brands were unaffected by the incident and remain operational.
JFC said it recognizes the value and importance of the confidentiality of personal information of its stakeholders.
It assured the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data by continuously fortifying its defenses against future threats.
“The company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter. The company also wishes to encourage the public to exercise vigilance in information security practices, including keeping passwords secure and changing them often,” it said.
JFC requested an additional 20 days to finalize its internal investigation. The incident followed another data breach reported last week involving health maintenance organization Maxicare, which affected around 13,000 members.
The NPC emphasized the importance of data security and urged Jollibee Group to provide a comprehensive explanation of the breach and a concrete plan to protect customer information in the future.