MANILA, Philippines (UPDATED) – The National Privacy Commission (NPC) suspended the delivery website of fast-food giant Jollibee, jollibeedelivery.com, over "serious vulnerabilities" in its online systems.
The NPC sent the suspension order to Jollibee Foods Corporation (JFC) on Tuesday, May 8, and also posted it on privacy.gov.ph.
In a statement on Tuesday, JFC said it complied by temporarily taking down the Jollibee delivery website. "As an additional precaution," it also voluntarily took down the delivery websites of its other brands, "with the exception of Burger King which is on a different platform."
"With this, we will be able to facilitate faster online delivery system improvements and update security measures that will further strengthen data protection," said JFC.
Around 18 million people on Jollibee's database – people who order using the website – are currently at "a very high risk" of being exposed to online harm, according to the NPC.
The commission said that users face such a high level of risk because "smaller systems with more robust security measures" have been exposed. Jollibee's systems, based on the NPC's findings, appear to be very weak.
The suspension order comes months after Jollibee reported a data breach back in December 2017.
JFC, through its data privacy officer J'Mabelard Gustilo, notified the NPC of a data breach that happened on December 8, 2017. Then-unknown entities were able to gain access to the customer database of jollibeedelivery.com.
The NPC’s investigation identified the breach to be a result of a proof-of-concept test, which it turns out was initiated by Jollibee’s own marketing public relations team through a third-party local cybersecurity firm. In this instance, the test was used to check if the systems were secure.
One of the members of the cybersecurity firm told the NPC that they were indeed able to exploit vulnerabilities, but did not scrape or exfiltrate any data, and that they only demonstrated their ability to access the data on jollibeedelivery.com.
It remains unclear as to why Jollibee's marketing public relations team was initiating a proof-of-concept test for cybersecurity matters related to their delivery website and why JFC's own data privacy officer appears to not have known about it.
In the NPC document, Gustilo's only statement on the third-party local cybersecurity firm is that it was "treated as an uncontracted entity or stranger who had no authority to infiltrate their IT infrastructure."
After the incident, the NPC noted some data privacy improvements, but eventually found that the website still remains vulnerable to attackers with even "little to moderate technical knowledge and skill."
These conclusions have eventually led to the suspension order, which will be in place indefinitely, until new systems pass the NPC's tests.
Along with the suspension, JFC was also ordered to submit a security plan, reengineer its data infrastructure for privacy, conduct an assessment of the impact of the vulnerabilities, and file a monthly report until the data privacy issues are resolved.
"We are currently addressing the issues the [NPC] has outlined, and we are closely coordinating with them on this. Beyond what NPC shared, we have been conducting our own investigation and performing security checks on our system," JFC said.
"We assure the public that safeguarding the confidentiality of our customers' personal data remains Jollibee Foods Corporation's priority."
Prior to the suspension order, Gustilo admitted that the database protection was not up-to-date and that some data were not encrypted. He also mentioned company difficulties in putting up protection such as budgetary constraints, low prioritization, or outright disinterest within the organization. – Rappler.com