In a significant data breach that ranks among the largest in Philippine history, the sensitive personal information of approximately 11 million people has been compromised from the records of fast-food giant Jollibee Food Corp. The leak includes birth dates and senior identification numbers, the National Privacy Commission (NPC) revealed on Monday.
The NPC stated that Jollibee Group informed them of the potential unauthorized access to their centralized data repository, known as the data lake, on Saturday at 11:38 a.m. This repository houses data from all business units of the company.
Roren Marie Chin, chief of the NPC’s Public Information and Assistance Division, confirmed the breach, stating, “Sensitive personal information, including dates of birth and senior ID numbers, has been compromised. Approximately 11 million data subjects are affected, the majority of whom are Jollibee customers.” The breach also impacts other brands under the Jollibee umbrella, including Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express.
Jollibee has requested an additional 20 days to complete its internal investigation into the breach. Over the weekend, the company, owned by tycoon Tony Tan Caktiong, was already probing the suspected data breach involving its delivery service system.
The cybersecurity advocacy group Deep Web Konek highlighted the breach last Thursday in a social media post, alleging that the personal data of 32 million customers were compromised. The post included an offer to sell the data on an online discussion board.
Recent data breaches in the Philippines have raised alarms among consumer rights groups. Less than a week ago, Maxicare Healthcare Corp. disclosed a breach affecting 13,000 customer records, while Toyota Motor Philippines Corp. experienced a breach involving over a terabyte of data from 2016 to 2024. Property developer Robinsons Land Corp. also suffered a data leak recently.
Consumer advocacy group Malayang Konsyumer warned that these breaches place consumer privacy at severe risk. The group’s spokesperson, lawyer Simoun Montelibano Salinas, stated, “The fact that the attackers can now breach private consumer data of corporations indicates they are using more sophisticated technology.”
Rights Action Philippines (RAP) echoed these concerns, noting the frequency of data breaches across both public and private sectors. RAP’s media relations officer, Ferdie Ferido, criticized the country’s inadequate measures for protecting personal information, saying, “These breaches highlight the weaknesses in safeguarding the security of our personal information.”
In response to these breaches, Assistant Secretary Amanda Nograles of the Department of Trade and Industry’s consumer affairs and legal service group announced that they would accept consumer complaints related to these data leaks. The growing concern over data security calls for urgent action to strengthen the country’s cybersecurity infrastructure and protect consumer data from further breaches.