An investigation has been launched by Jollibee Foods Corporation (JFC), the Philippines’ largest fast-food chain operator, following claims of a data breach affecting millions of its customers globally. The probe was prompted by a threat actor claiming responsibility for breaching JFC’s systems.
On June 21, reports surfaced that a hacker known as “Sp1d3r” asserted access to sensitive data belonging to 32 million Jollibee customers, offering to sell the database for $40,000 on the dark web.
The Philippines National Privacy Commission (NPC) mandates organizations to report cybersecurity incidents within 72 hours. In response, Richard Shin, JFC’s Chief Financial Officer and Corporate Information Officer, announced on June 22 that the company was addressing a “cybersecurity incident” affecting itself and subsidiaries.
“The Company is addressing the incident and has implemented response protocols and enhanced security measures to safeguard data against threats,” the statement assured. JFC clarified that its e-commerce platforms and subsidiaries’ brands were unaffected and operational.
Acknowledging the importance of stakeholders’ data confidentiality, JFC reaffirmed its commitment to prioritize protection.
It urged the public to practice good information security, emphasizing password security and regular changes.
The alleged breach, disclosed on BreachForums on June 20, included personal data such as names, addresses, phone numbers, email addresses, and hashed passwords of 32 million customers, along with 600 million rows of food delivery, sales orders, transactions, and service details.
JFC is investigating the cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King” data-wpil-keyword-link=”linked”>Burger King Philippines, and Highlands Coffee. This incident echoes a previous data breach in 2017, leading to the suspension of Jollibee’s delivery website in 2018 due to vulnerabilities identified by the NPC.