Pawning and remittance firm Cebuana Lhuillier on Saturday admitted that its servers have been breached, which may have compromised personal data of around 900,000 clients, the portal GMA News Online reports.
In a notice sent to its customers through email, the company's data privacy officer informed clients of the incident.
"We are writing to inform you of a security incident which may have affected your personal data stored in one of our email marketing tool servers," Cebuana Lhuillier said. The remittance firm said it detected on January 15, 2019 several attempts to use one of its email servers as a relay to send out spam to other domains.
"Follow-up investigation resulted in the discovery of unauthorized downloading of contact lists used as recipients for email campaigns," it said.
"These unauthorized downloads took place on August 5, 8, and 12, 2018," it added.
Cebuana Lhuillier said clients' personal information including name, birth date, email address, mobile number and in some cases, income information may have been exposed in the incident. In a separate statement, the PJ Lhuillier Group of Companies—the company behind the Cebuana Lhuillier brand—said that information of around 900,000 clients were affected.
"Upon discovery, remedial actions were taken to reduce the harm. The server was immediately disconnected from the network after confirmation of breach," it said.
"The incident was likewise reported to the National Privacy Commission," it added.
The company said transaction details or information were not compromised and its main servers remain safe and protected. Cebuana Lhuillier currently has 2,500 branches across the country. The company offers pawning, remittance, micro-insurance, and micro loan services. The company advised clients to immediately change the passwords of all user accounts in which personal information details or portions of it are used as passwords as "precautionary measure."
"Do not use the same password across multiple accounts. Use strong passwords. Change passwords regularly," it emphasized.
"Regularly check your accounts for suspicious transactions," it added.
The remittance firm also encouraged clients to take advantage of available two-factor authentication features of applications that they use.
"For example, you can configure your account to require a one-time passcode (sent to your phone or other email) in addition to your password before you can access," it said. Cebuana Lhuillier also advised clients to be very cautious about providing personal information which will require them to click on links or download attachments contained in email, SMS or private messages.
"Take time to validate these requests for personal information through other communications channels (e.g. contact numbers in billing notices) with your online services providers," it said.