PJ Lhuillier group admits data breach on its pawnshop email server

CEBU CITY, Philippines — Some personal identity information of around hundreds of thousands of Cebuana Lhuillier clients has been stolen.

This is revealed in a statement issued by the PJ Lhuillier Group of Companies, the mother company of Cebuana Lhuillier.

“We recently discovered a data breach which affected our email server that is used for marketing purposes. Information of around 900,000 clients was affected. Some of these information included birthdays, addresses and source of income,” the statement said.

However, the company assured clients that the transaction details or information have not been compromised and that the company’s main servers remain safe and protected.

“Upon discovery, we immediately coordinated with the National Privacy Commission (NPC) to investigate the matter, and already implemented safety measures to protect the personal data of our clients,” the company added.

Aside from informing the affected clients of their data breach, the company said they provided guidance on how to protect their personal information.

 “We are committed to ensuring the data privacy of our clients and adhere to strict security protocols in protecting our interests,” according to the statement from PJ Lhuillier group.

In response to an email sent to Deputy Privacy Commissioner Leandro Angelo Aguirre of the National Privacy Commission, he provided CDN Digital a copy of the official statement of Privacy Commissioner Raymund Enriquez Liboro on the Cebuana Lhuillier Breach.

In his statement, Liboro said that they first learned about the data breach on the pawnshop on Friday, January 18, 2019.

He said the representatives from Cebuana Lhuillier went to the National Privacy Commission on that day to seek assistance regarding a data breach involving their email server.

According to Liboro, the pawnshop representative committed to submit a more detailed report on the data breach.

Companies subjected to data breaches are required to report to the commission and the affected data subjects within 72 hours from discovery of the incident. 

They also have to inform those affected individually so as not to further expose the data subject to more harm. 

Cebuana Lhuillier has hired a third party information security service provider to address the data breach.

Meanwhile, Deputy Commissioner Aguirre said the commission’s complaints and investigation division has started investigation on the incident./dbs

Read more...