Cebuana Lhuilier, one of the most notable pawnshop chains here in the country noticed a data breach last Saturday, the 19th of January 2019. Moreover, they said that this data breach infiltrated over 900,000 clients both locally and internationally.
The company sent the notice to their customers through email and said that they already sent a blast email confirming the notice to all of their clients.
P.J. Lhuilier, parent company of Cebuana Lhuilier, said that the email server that they utilize for “marketing purposes” was the one hit and affected by the data breach.
— Ted Cordero (@Ted_Cordero) January 19, 2019
What information was compromised?
As per the company, the information taken from the clients was their addresses, birthdays, and the source of income as these information was the requirement of the micro-financial company in order for people to be able to do transactions.
More so, Cebuana Lhuilier said that they were able to detect the breach on the 15th of January 2019. They detected it because they saw a few attempts to utilize one of its email servers to send out spam emails to other domains.
We are writing to inform you of a security incident which may have affected your personal data stored in one of our email marketing tool servers. Follow-up investigation resulted in the discovery of unauthorized downloading of contact lists used as RECIPIENTS for email campaigns.”
In addition to that, the company also pointed out that these downloads that were unauthorized happened on the 5th, 7th, and 12th of August, 2018.
Currently, Cebuana Lhuilier has 2,500 branches nationwide. From pawning, their services evolved to micro-insurance, loan services, and remittances.
Because of the incident, P.J. Lhuilier and Cebuana Lhuilier immediately gave the advise to change their passwords in all of their accounts where personal details or information are used. Even if it’s just a small part or portion of the personal email.
What other security features can clients do to avoid this in the future?
Although this is something that a company needs to handle, clients and customers can avoid this by taking advantage of two-factor authentication for their applications.
Two-factor authentication is the method where computer access is given access ONLY after presenting two (2) or more pieces of identification. For example, users can require one-time passwords sent to either their email addresses or their mobile phones before it grants access to the app or the account.
The company also did not forget to mention to their clients to be extra cautious in giving out information either personal or professional information that will require them to download files or click on links because these are tools made by scammers to phish information from people.
Take time to validate these requests for personal information through other communications channels (e.g. contact numbers in billing notices) with your online services providers.”
In conclusion, the Philippines’ privacy body will still issue a statement about the breach of data.
What do you think about this? Should the government have more efforts in terms of securing the people’s data? Or should companies have better security measures?