MANILA, Philippines — The National Privacy Commission (NPC) on Wednesday said the data breach involving Jollibee may be a part of a series of extortion activities happening globally.
According to NPC-Compliance and Monitoring Division (CMD) chief Rainier Millanes, around 165 companies in different countries were recorded to have been affected by such attacks in June 2024.
READ: NPC confirms data of 11M Jollibee customers leaked
“Maaari pong connected po ito sa string of extortion activities – ito po iyong paghingi ng pera kapalit ng datos or ransomware extortion activities na nangyayari ngayon sa buong mundo. Hindi lang po Jollibee iyong tinamaan, pati po karamihan po ng mga kumpanya sa buong mundo ay tinamaan din po nitong ganitong klaseng pag-atake,” said Millanes in a Bagong Pilipinas Ngayon briefing.
(This may be connected to the string of extortion activities – asking for money in exchange for data or ransomware extortion activities – that is happening around the world today. Not only Jollibee was hit, most companies around the world were also hit by this type of attack.)
While the investigation on the cyberattack is ongoing, Millanes said the data breach affected 11 million customers, including customers of Jollibee, Chowking, Greenwich, Red Ribbon, Mang Inasal, Burger King, Yoshinoya and Panda Express.
When asked which specific information was compromised, Millanes explained that it was their data link.
Data link, said the NPC official, refers to a collection of information which could include personal data or other information.
“Iyong extent po, inaalam pa po ng Jollibee sa ngayon at humingi po sila sa atin, allowed naman po iyan sa rules of procedure ng NPC, humingi po sila sa atin ng 20 days starting last Saturday – additional 20 days for them to be able to identify, personally identify and notify affected data subjects and also for them to conduct iyong kanilang internal investigation on the matter,” said Millanes.
(Regarding the extent, Jollibee is still investigating this and they asked us for 20 days starting last Saturday, which is allowed in the rules of procedure of the NPC– additional 20 days for them to be able to identify, personally identify and notify affected data subjects and also for them to conduct their internal investigation on the matter.)
Millanes said the compromised data was leaked by a certain “Spider” in the dark web, but also said that the NPC is not yet discounting the possibility that the data breach could have been an inside job, pending an investigation.