Jollibee Foods Corp is investigating a data breach affecting 11 million customers. The breach surfaced after renowned threat actor Sp1d3r listed the company’s stolen database for sale on a dark web hacking forum.
Jollibee is one of Asia’s largest food retailers, with over 1,500 outlets worldwide, including about 30 in the United States. The fast-food restaurant is famous for its delicious dishes, such as Chickenjoy, Jolly Spaghetti, Chicken Tenders, Peach Mango Pie, and Corned Beef.
“We take this matter seriously and have launched an investigation to better understand the scope of the incident,” the company said in a statement.
However, the fast food giant said the data breach did not disrupt its e-commerce platforms or subsidiaries, which were “unaffected and remain operational,” ruling out the possibility of a ransomware attack.
Jollibee requests more time to investigate data breach
The Jollibee Group has notified the country’s privacy watchdog, the National Privacy Commission (NPC), and reportedly requested an additional 20 days to complete its internal investigation.
NPC requires personal data processors to notify impacted individuals within 72 hours of the incident. The country’s Data Privacy Act of 2012 requires entities handling the personal information of over 1,000 people to register as personal information controllers (PICs) or personal information processors (PICs). Jollibee has registered as a PIC and PIP, thus under the heavy scrutiny of the country’s data protection agency.
According to the NPC, the Jollibee data breach leaked sensitive personal data, including dates of birth and senior citizen identification numbers. Most individuals impacted by the Jollibee data breach were the fast food chain’s customers.
Earlier, privacy advocacy group Deep Web Konek reported that the data breach affected up to 32 million customers and 650 million records related to Jollibee food delivery services.
The database also allegedly contains sensitive personal information, including the victims’ full names, postal addresses, phone numbers, email addresses, credit card numbers, and passwords. Subsequently, the victims face a significant risk of identity theft as a result of the data breach.
The threat actor also alleges that the stolen database contains delivery orders, sales transactions, and other service details. That information is invaluable for creating phishing scams to trick customers into disclosing more valuable details such as credit card numbers and account passwords.
According to the NPC spokesperson, the data breach also impacted other brands’ customer information, including Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express.
According to insiders with insight into the matter, the data breach affected the group’s “data lake,” which stores structured and unstructured data for the company and all its subsidiaries. However, the attack vector remains undisclosed at the moment.
Meanwhile, Jollibee says it has implemented response protocols and enhanced security measures to prevent further threats. The fast food giant also launched an investigation, engaged relevant authorities, and has formally requested assistance from the country’s Department of Information and Communications Technology (DICT).
The Asian food giant also reiterated its commitment to prioritizing the protection and confidentiality of its stakeholders’ personal information and “continuously fortifying its defenses against future threats.”
Nevertheless, Jollibee is no stranger to data breaches impacting its stakeholders’ personal information. In 2018, the NPC ordered the fast food chain to shut down its online delivery platform after experiencing a similar data breach.
“In the digital age, where the boundary between the physical and digital blurs, the alleged incident involving Jollibee Foods Corp. serves as a stark reminder of the perpetual battleground that modern enterprises inhabit,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “It’s unsettling, yet hardly surprising, to hear that a company of such stature and reach has found itself grappling with a data breach.”
Caught in Sp1d3r’s web
Jollibee is among many global victims of the infamous threat actor Sp1d3r, who has listed billions of stolen records for sale on the dark web.
In June 2024, Sp1d3r listed the Neiman Marcus Group database for sale on a dark web forum for $150,000. The database allegedly contains 6 billion rows of customer shopping records and other details, although the company confirmed that only 64,000 individuals were affected.
Sp1d3r has also listed the stolen database of the cybersecurity company Cylance for $750,000. The database allegedly contained the personal information of 34 million people. Both databases were linked to the Snowflake hack that has affected over 165 organizations.
The threat actor also asks for $1 million and $1.5 million in exchange for Truist Bank’s and Advance Auto Parts’ stolen databases, respectively.