Cebuana Lhuiller, a Philippines-based firm providing pawnshop, microinsurance, and other financial services, was hit by a data breach which affected the personal information of around 900,000 customers.
The company said in a statement that one of its email servers, which was used for “marketing purposes”, was compromised, with the attacker gaining access to customers’ birthdays, addresses and source of income.
“On January 15, 2019, we detected attempts to use one of our email servers as a relay to send out spam to other domains,” the company’s notice to its customers said.
“Follow-up investigation resulted in the discovery of unauthorised downloading of contact lists used as recipients for email campaigns. These unauthorised downloads took place on August 05, 08, and 12, 2018.”
The company, which has over 2,500 branches across the archipelago, assured its customers that transaction details and its main servers “remain safe and protected.”
Meanwhile, the country’s National Privacy Commission (NPC) has ordered an investigation into the data breach.
“At the meeting, they committed to submit a more detailed report regarding the data breach,” Commissioner Raymund Liboro told the Philippine Star. “Cebuana Lhuillier informed us that it has engaged the services of a third-party information security provider to handle their mitigation and response to the incident.”