MANILA (2nd UPDATE)—More than 900,000 clients of Cebuana Lhuillier were affected by a breach that may have compromised their personal data, the local pawnshop said Saturday.
The figure represents about 3 percent of its total clientele, Cebuana Lhuillier said.
Information that could have been compromised includes birth dates, addresses, and sources of income, the company said in a statement.
It, however, noted that transaction details or information were not compromised and that the pawnshop's main servers "remain safe and protected."
The pawnshop earlier said attempts to use one of its servers were detected last Tuesday, January 15, but that unauthorized downloads from its servers took place on August 5, 8, and 12, 2018.
Affected clients have already been notified and the data breach has been reported to the National Privacy Commission (NPC) for investigation, Cebuana Lhuillier said.
"We are committed to ensuring the data privacy of our clients and adhere to strict security protocols in protecting our interests," it said. "We will provide additional information regarding the incident as soon as it becomes available."
The NPC is investigating the incident, privacy commissioner Raymond Liboro said Saturday.
"Cebuana Lhuiller has 72 hours from discovery of a data breach to report the same to the Commission and affected data subjects. The data subject notification must be done individually, and not further expose the data subject to more harm," Liboro said in a statement.
In a meeting with the NPC last Thursday, Cebuana Lhuillier said it engaged the services of a third party information security service provider to "handle their mitigation and response to this incident."
The pawnshop also committed to submit a more detailed report of the breach to the NPC.
Cebuana Lhuillier is the Philippines' largest non-bank financial service provider, specializing in pawning, remittance, and micro-insurance.
In 2017, the company reported that its loyalty program already has more than 9 million members nationwide.