Jollibee Probes Alleged Data Breach
The Jollibee probe began after a threat actor claimed responsibility for breaching the systems of Jollibee Foods Corporation.
Krishna Murthy June 24th, 2024
Share on LinkedInShare on Twitter
Jollibee Foods Corporation (JFC), which is the largest fast-food chain operator in Philippines, has launched an investigation for an alleged data breach in its system that may have affected millions of its customers across the globe. The Jollibee probe was initiated after a threat actor claimed responsibility for breaching the systems of the Jollibee Foods Corporation.
On June 21, The Cyber Express reported that a notorious attacker, operating under the alias “Sp1d3r”, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000 on the dark web.
Source: X
Details of Jollibee Probe into Cyberattack
The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery.
A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”.
“The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said.
JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company.
“JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said.
“The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added.
The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.
Jollibee’s Cybersecurity Concerns
The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20.
The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details.
JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee.
This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed.
After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands.