Cebuana Lhuillier, a Philippine financial service provider, has suffered a security breach in which the data of 900,000 clients was accessed without authorisation.
The breach occurred due to a server failure, resulting in the exposure of customer names, birth dates, email addresses and mobile numbers.
“On January 15, 2019, we detected attempts to use one of our email servers as a relay to send out spam to other domains,” a company notice to customers read.
"Follow-up investigation resulted in the discovery of unauthorised downloading of contact lists used as recipients for email campaigns. These unauthorised downloads took place on August 5, 8, and 12, 2018.”
Cebuana Lhuillier specialises in pawning, remittance, micro-insurance, and business to business micro loan solutions, with close to 2,500 branches nationwide.
“It's just a very small portion of our clientele,” said Richard Villaseran, the company's corporate communications division head, when speaking to Reuters. “The main server containing all clients of Cebuana Lhuillier remains protected and uncompromised.”
Villaseran added that the company's clients had been advised how to further protect their personal information.
“We are committed to ensuring the data privacy of our clients and adhere to strict security protocols in protecting our interests," a company statement read. “We will provide additional information regarding the incident as soon as it becomes available.
“We are committed to ensuring the data privacy of our clients and adhere to strict security protocols in protecting our interests. We will provide additional information regarding the incident as soon as it becomes available.”
The breach came as Philippine investigators were looking into allegations by the country's foreign minister last week that a privately contracted firm took away documents and data from the Department of Foreign Affair's passport database.
(Additional reporting by Karen Lema; Editing by Michael Perry - Reuters)