NPC orders Jollibee Foods Corp to suspend jollibeedelivery.com
The National Privacy Commission (NPC) has ordered Jollibee Foods Corporation (JFC) to suspend their website jollibeedelivery.com.
The order issued is in relation to the data breach report submitted by Jollibee Foods Corporation last December 12, 2017. In the Breach Notification, JFC Group DPO J’Mabelard M. Gustilo informed the NPC that on December 8, 2017, persons unknown to the JFC Group appeared to have been able to gain access to the customer database of the delivery website for Jollibee.
According to the order, “the Complaints and Investigation Division (CID) identified the breach to be a result of a proof-of-concept initiated by a marketing PR team representative of Jollibee, who made representations to a domestic cybersecurity firm.”
The NPC is ordering JFC to suspend the operations of jollibeedelivery.com and all other data processing open to the public through the internet and restrict external access to their networks, for an indefinite time until the site’s identified vulnerabilities are addressed, as validated by a duly certified penetration testing methodology.
The company is also ordered to submit a security plan to rehabilitate the system, employ Privacy by Design in the re-engineering of JFC Group data infrastructure, conduct a new Privacy Impact Assessment, and file a monthly Progress Report on the matter until issues are resolved.
— Jacque Manabat (@jacquemanabat) May 8, 2018