MANILA, Philippines - Philippines' largest non-bank financial service provider, Cebuana Lhuillier has revealed details of a massive data breach, which has drawn the attention of the country's National Privacy Commission (NPC).
The company said in a statement over the weekend that the data of 900,000 of its clients had been accessed without authorization.
The firm, which provides services like pawning, remittance, microinsurance, and business to business micro loan solutions, sought to reassure clients in its announcement and said that it had already alerted authorities to investigate the incident.
Cebuana Lhuillier added that some information like birthdays, addresses and sources of income, were affected in the breach.
The company noted that the breach involved an email server that had been used for marketing.
In a statement, Richard Villaseran, the company's corporate communications division head said, "It's just a very small portion of our clientele. The main server containing all clients of Cebuana Lhuillier remains protected and uncompromised."
Cebuana Lhuillier said in its statement, "We are committed to ensuring the data privacy of our clients and adhere to strict security protocols in protecting our interests. We will provide additional information regarding the incident as soon as it becomes available."
He clarified that the company's clients had been advised on how to further protect their personal information.
The company later said that the breach affected 3 percent of its total clientele.
It added that unthorized downloads from its servers took place on August 5, 8 and 12, 2018, but that it had detected attempts to use one of its servers on January 15.
The breach was revealed at a time when Philippine investigators were looking into allegations made by the country's foreign minister, who claimed that a privately contracted firm took away documents and data from the passport database of the Department of Foreign Affair.
In a statement after the breach was revealed, Raymond Liboro, the Privacy Commissioner said that the NPC is investigating the incident.
Liboro added, "Cebuana Lhuiller has 72 hours from discovery of a data breach to report the same to the Commission and affected data subjects. The data subject notification must be done individually, and not further expose the data subject to more harm."