Jollibee Data Breach in the Philippines Affected 11 Million Customers

Every company has to earn the trust and loyalty of its customers to be successful. This means providing exceptional service, reliable products, and going the extra mile. In today’s digital landscape, a major part of the success of a company lies in maintaining customer data security – an element often overlooked in most industries. Data breaches have the potential to cause devastating harm when hackers expose or sell private information on the dark web. This can lead to ransomware attacks, exploitation, reputational damage, financial losses, and more ripple effects in the long run. In this blog article, we take a closer look at the recent Jollibee data breach and also explore the reasons why the Food Industry became the target for cybercriminals. We also delve into how businesses can avoid cyber threats in the future. First, let’s get a quick overview of the data breaches affecting the Philippines and the latest Data Breach incident of fast food chain Jollibee.

Data Breaches in the Philippines

According to Statista, incidents of data breaches in the Philippines reached roughly 0.14 million during the fourth quarter of 2023 alone. Rapid digitalization, evolved hacking, and the lack of adequate cybersecurity measures are some of the main reasons behind these security threats becoming popular in the area.

Last year, a cybersecurity firm also placed the Philippines fifth in the most number of data breaches in Asia since 2004 and 17th globally. According to their Global Data Breach statistics, a total of 124 million accounts had been breached in the Philippines - the second highest count in Southeast Asia.

The entire continent of Asia has seen several cyber-attacks as one of the fastest-growing digital landscapes. From the data breach for Shangri-La Hotels in Asia to the most recent Indonesia Immigration Ransomware Breach – service sectors are increasingly taking on the burden of cyber threats. Now, let’s get into the details of the Jollibee data breach in the Philippines.

Jollibee Data Breach

In June, fast food giant Jollibee Foods Corp. (JFC) admitted that it had been the victim of a data breach that could affect around 11 million customers and its connected companies. In a report to the Philippines’ National Privacy Commission (NPC), the company revealed that the breach had compromised sensitive personal information in what is now the largest data breach in Philippine history. The exposed data included dates of birth and senior citizen identification numbers.

The Jollibee Group shared with the NPC that it suspected unlawful access to its data lake on the 22nd of June. This data lake serves as the central repository for data from its business units. Other brands impacted by the Jollibee data breach include Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express.

The Jollibee data breach came to light after a cybersecurity advocacy group called Deep Web Konek made a social media post on the 20th of June alleging that the breach took place. In the post, the team noted that a user named “Sp1d3r” claimed on a cybercrime forum to have the personal data of 32 million customers and 650 million records related to the company’s food delivery operations. The compromised data supposedly includes names, addresses, phone numbers, and email addresses of customers.

Source: https://x.com/deepwebkonek/status/1803652654046048645

While the e-commerce platforms of Jollibee Food Corp. and all its subsidiaries were unaffected by the breach, the company asked for 20 days to complete its internal investigation. The company assured the stock exchange that it was addressing the incident and has “implemented its response protocols and deployed enhanced security measures to further protect the company's and its subsidiaries' data against threats.” Let’s learn more about the Jollibee Group next.

What Is Jollibee Group?

The Jollibee Group is a multinational, Filipino-based food service company with 18 brands and over 6,800 stores across 33 countries. Jollibee Foods Corp. is now one of the world's fastest-growing Asian restaurant chains and was founded by Tony Tan Caktiong. The company survived the entrance of mega fast-food chains like McDonald’s and KFC and continues to cater to local markets while expanding globally. While it might seem like an odd sector to target for hackers, the food industry is not immune to cyber threats. Let’s look at some of the recent breaches in the industry.

Recent Data Breach Incidents in the Food Service Industry

Looking at recent data breaches allows companies and entire industries to notice patterns and put preventative measures in place. Unfortunately, the food industry is still a vulnerable target for many cyber criminals. Let’s review a few data breaches that impacted the food service industry recently:

Golden Corral Data Breach

In August 2023, US restaurant chain Golden Corral found that a threat actor had accessed its systems and stolen employee data. The company was forced to inform roughly 180,000 individuals that their personal information was stolen in a data breach.

Panera Data Breach

A security incident in March of 2024 leaked staff information at Panera Bread restaurant. This has led to a class-action lawsuit against the company from an employee who claims that the company failed to maintain security safeguards or protocols such as encrypting or redacting sensitive information. The lawsuit also claims that Panera failed to adequately train its employees on cybersecurity and only notified them three months after the incident.

Panda Data Breach

In March 2024, Panda Restaurant Group - the parent company of Panda Express, Panda Inn, and Hibachi-San – admitted to being the victim of a data breach in which the personal data of an undisclosed number of associates was stolen.

Chick-fil-A Data Breach

American fast food chain Chick-fil-A was also hit by a data breach in 2023 that affected over 71,000 customers' accounts in a months-long credential stuffing attack. This allowed threat actors to use stored reward balances and access personal information.

PurFoods Data Breach

In 2023, PurFoods, a U.S. producer of medically-tailored home-delivered meals, disclosed a data breach affecting over 1.2 million people. The company admits that hackers might have accessed customers' personal, financial, and medical information - including names, payment card numbers, Social Security numbers, health insurance member identification numbers, and account passwords.

While the food industry might seem like a harmless target for hackers, a lot of personal information is stored by these businesses. With evolving technologies and the rise of AI cyber-attacks, cybercriminals are finding it easier to automate attack methods and take advantage of the flawed security in place. Let’s further try to answer why the food industry is coming under attack at all.

Why Is the Food Industry Under Attack?

As we can see from the above examples, there is a large amount of personal data stored by the food industry for safety and health reasons. Data breaches are about securing private information from wherever you can find it and the severely undercut cybersecurity measures in the food industry make it a significantly vulnerable sector.

Yahoo reported that while the attack rate across all industries is just 2.5, the account takeover attack rate for food services is a startling 20%. The data found showed that there are a few reasons why the food industry is under attack:

• Online Loyalty Programs: These allow hackers to redeem rewards or money for themselves.
• Ordering and Delivery Services: Many food delivery services do not invest in advanced cybersecurity and leave payment information vulnerable.
• Frequency of Use: Most food industry apps are used regularly which makes it easier to hide unauthorized payments or access in the flurry of activity.
• Storage of Personal Details: Many companies will ask you to subscribe to newsletters or promotional lists to boost advertising, however, that also creates a supply of contact details being stored by unknown sources.
• Use of New Technologies: While digital transformation is encouraged, many companies will swap in new technologies and platforms without fully understanding their cybersecurity risks.
• The Cost of Downtime: The food industry needs to keep running to ensure that supply meets demand which makes it very vulnerable to ransomware attacks in which hackers can demand a ransom to ensure that the business keeps running.

Service chain attacks – like the AT&T Data Breach that affected 73 million customers – will have devastating ripple effects that directly affect clients. This is why companies in such vulnerable industries need to stay prepared for the eventuality of a cyber-attack. Let’s go over some ways that the food industry can protect itself from cyber threats next.

How Can Restaurants Prevent Cyber-Attacks?

According to the Federal Trade Commission, there are four ways you can secure your accounts:

1. Creating stronger passwords – Try to ensure that all your accounts have a long and complex password to prevent your data from getting into the wrong hands.
2. Limit access control – Keep your network secure from outsiders and unauthorized personnel.
3. Use reliable and advanced AI-powered cybersecurity solutions and technology that provide a strict and automated defense strategy – such as Sangfor Technology.
4. Update software – Keep your software updated and regularly check for patches to your system.
5. Educate your workforce on the dangers of phishing scams, social engineering attacks, and more.
6. Draw up a reliable incident response plan to ensure that the business continues to run and has adequate backups for data.

While companies in the food industry can try to keep up with these practices to maintain their security posture, it’s the solid regulations and laws in place that make it mandatory. Looking back at the Jollibee data breach, we’ll try to understand the data breach laws and regulations in the Philippines that will help to sway the rising cyber-attacks.

Laws and Regulations for Data Breaches in the Philippines

The National Privacy Commission (NPC) of the Philippines states that all personal information controllers (PIC) must implement reasonable and appropriate organizational, physical, and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration, and disclosure. Trade Assistant Secretary, Amanda Nograles, is responsible for consumer protection at the department and noted that the attack involves “personal information that's being leaked by the processor,” and that Jollibee Food Corp. was registered with the NPC as a personal information controller and personal information processor (PIP).

Furthermore, by law, companies and individuals processing personal data must notify the NPC and individual affected subjects within 72 hours of discovering a breach. Following the Jollibee data breach, the Department of Trade and Industry said it would be looking into the data breaches and further enforcement action under the Data Privacy Act – which mandates registration of private entities that handle more than 1,000 individuals’ personal information as a PIC or PIP.

When reporting on the Jollibee data breach, the Inquirer spoke to the Malayang Konsyumer, a consumer advocacy group, that warned that recent data hacks placed consumers’ rights to privacy in severe jeopardy. The group’s spokesperson stated that “the fact that the attackers are now able to breach the private consumer data of private corporations means the culprits are now acting with more sophisticated technology.”

The Rights Action Philippines (RAP) group also noted that data breaches have become commonplace today - affecting both the public and private sectors. Ferdie Ferido, RAP media relations officer, told the Inquirer in a statement that these attacks show how “weak the country is when it comes to safeguarding the security of our personal information.” The Assistant Secretary, Amanda Nograles of the Department of Trade and Industry’s consumer affairs and legal service group said they would accept consumer complaints affected by these data leaks.

Allow the Jollibee data breach to be a reminder that your company’s data is vulnerable in any industry and demands the right protection. For more information on cloud infrastructure and cybersecurity, visit www.sangfor.com today.

Contact Us for Business Inquiry