Cyber Incident Victim: Cebuana Lhuillier
Date:
Aug 2018
Location:
Philippines
Summary
A Philippine financial services company experienced a data breach involving unauthorized access to an email server, leading to the exposure of customer contact lists used for email campaigns. The incident compromised personal information including names, birth dates, email addresses, mobile numbers, and in some instances income details. Over 900,000 clients were affected by the security compromise, which was discovered during an investigation into subsequent spam relay attempts originating from the compromised server.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Cebuana Lhuillier publicly disclosed a data breach on January 19, 2019, notifying clients that unauthorized parties had accessed personal information. The incident originated from suspicious activity detected on January 15, 2019, when the company identified attempts to misuse one of its email servers for sending spam communications to external domains. Subsequent forensic investigation revealed three specific instances of unauthorized data exfiltration occurring earlier: August 5, August 8, and August 12, 2018. During these incidents, attackers successfully downloaded contact lists containing customer information used for the company's email marketing campaigns. The compromised data fields included full names, dates of birth, email addresses, and mobile phone numbers, with income details exposed in certain cases.
The pawnshop chain confirmed that over 900,000 clients were impacted by the breach. Through direct email notifications, Cebuana Lhuillier informed affected individuals about the exposure of their personal data and advised them to implement security measures on their accounts. The company's disclosure did not specify whether financial records or transactional data were compromised, focusing instead on the confirmed theft of marketing contact information. No operational disruptions to financial services were reported in conjunction with the breach. The organization's public statements emphasized the ongoing investigation while urging customers to remain vigilant against potential misuse of their exposed personal information.