The National Privacy Commission (NPC) is conducting an investigation over a reported Cebuana Lhuiller’s data breach involving their email server, according to an official statement of NPC Commissioner Raymund Liboro on Saturday, 18 January, 2019. 

According to Liboro, representatives from Cebuana Lhuiller sought the assistance of NPC to resolve the matter on Friday, 17 January, 2019, and has committed to submit a more detailed incident report.

In the same statement, Cebuana Lhuiller said they had already tapped services of a third party information security provider to handle their mitigation and response to the incident.

The National Computer Emergency Response Team (CERT-PH), meanwhile, is also conducting its own separate investigation while also urging IT personnel to practice good cyber hygiene to safeguard their servers and other assets.

The involved company has now 72 hours from the point of discovery of the data breach to report to the NPC the scope and severity of the incident.

As an attached agency of the Department of Information and Communications Technology (DICT), the NPC is mandated to administer and implement the Data Privacy Act of 2012 and to monitor and ensure compliance of the country with international standards set for data protection.  

Read NPC Commissioner Liboro’s full statement here: