MANILA, Philippines (UPDATED) – The rewards platform of Cebu Pacific, GetGo, experienced unauthorized access to its server, prompting the budget carrier to shut it down temporarily and launch a probe.

In a statement on Thursday, April 25, Cebu Pacific said the GetGo application server was breached on Wednesday night, April 24.

“Cebu Pacific confirms that there was an unauthorized access to a GetGo application server last night. This server has been secured. We can also confirm that credit card information was not stored on that server,” Cebu Pacific said.

Hackers’ group Pinoy LulzSec, in a tweet on Wednesday night, claimed responsibility for the breach.

“Large data breach coming from GetGo to [Cebu Pacific]. Active directory is life,” the Pinoy LulzSec account tweeted, seemingly done by a person with the alias “Kangkong.”

Large Databreach Coming 🙂 From GetGo to CebPac <3 Active Directory is lyf.

Hello @CebuPacificAir ;*https://t.co/6MaH66oPfn

[+] Mirror [+]https://t.co/6nxS92inra

~kangk0ng pic.twitter.com/sjUyHU1ymR

— Pinoy LulzSec (@PinoyLulzSec__) April 24, 2019

The hackers’ group also tagged the National Privacy Commission (NPC) in another tweet, saying it may want to “ping Cebu Pacific for the breach notification.”

Cebu Pacific said on Thursday that it temporarily disabled logging into its website and mobile app using GetGo credentials.

“All GetGo online channels have also been temporarily disabled as we continue to investigate the matter. We have informed the National Privacy Commission, and are working with them on the investigation,” the airline said.

Cebu Pacific gave assurances that both its website and mobile app remain secure.

NPC probe

In a separate statement, Privacy Commissioner Mon Liboro said Cebu Pacific emailed a preliminary notification to the NPC at 11:37 am on Thursday.

“In the notification, the company’s data protection officer Randall Evangelista said the ‘extent and nature’ of the breach is still being determined,” Liboro said.

The NPC asked Evangelista “to also ascertain if there is a need to inform affected data subjects of the breach” and to relay measures they can take to protect themselves.

“We have instructed Evangelista to personally report tomorrow (Friday, April 26) to the NPC complaints and investigation team,” added Liboro.

In 2018, Pinoy LulzSec was also responsible for defacing several government websites, some of which experienced leakage of information to the public.

Back in 2016, a group known as LulzSec Pilipinas hacked into the Commission on Elections database. – Rappler.com