Republic of the Philippines

CENTRAL BICOL STATE UNIVERSITY OF AGRICULTURE

San Jose, Pili, Camarines Sur 4418
Website: www.cbsua.edu.ph Email
Address: [email protected]
Trunkline: (054) 871-5531;871-5533

Jollibee Foods Corporation 2024 Data Breach: A Case Study on Data

Privacy and Security Implications.

In partial fulfillment of the requirements in

INFORMATION ASSURANCE AND SECURITY - 2
S/Y 2024 – 2025

Prepared by:
Añonuevo, Ian Jay
Gamboa, Jerick D.
Suarilla, Charline B

Presented to:
Richard M. Castuera
Company’s Profile
Jollibee Foods Corporation (JFC), a prominent player in the global quick-service
restaurant (QSR) industry, stands as a testament to Filipino entrepreneurial spirit and
strategic expansion. Established in 1975 by Tony Tan Caktiong, JFC has evolved into
the largest fast-food chain in the Philippines and a significant player in the global market
(Jollibee, 2024). Jollibee Foods Corporation's (JFC) rapid growth following its
establishment in 1978 led to a strategic diversification strategy characterized by both
organic expansion and strategic acquisitions. The company expanded its brand
portfolio, acquiring and establishing multiple food chains, demonstrating a keen
understanding of diverse culinary preferences and market trends. JFC's acquisition
strategy included the incorporation of well-established Filipino brands like Chowking
(Chinese-inspired fast food), Greenwich (pizza and pasta), Red Ribbon (bakery and
pastry), and Mang Inasal (Filipino barbecue). This moves not only diversified JFC's
offerings but also strengthened its position within the Philippine market. Today, JFC
operates thousands of outlets in several countries, including the United States, Canada,
China, and across Southeast Asia, making it a global icon of Filipino entrepreneurship.

Data Breach Incident

Despite its success, JFC recently faced a significant challenge with a major data
breach in June 2024. According to the National Privacy Commission (2024), at 11:38
a.m., Jollibee started reporting on June 22 of a possible illegal entry into its data lake,
which houses information for every company in the group. Based on the statement from
Atty. Rainier Anthony Milanes, chief of the NPC’s compliance and monitoring division,
announced that the breach compromised the personal information of approximately 11
million data subjects; the majority are Jollibee customers. Atty. Milanes also emphasized
that when we said “data lake," all kinds of data are there, whether it is structured or
unstructured (data). Other impacted brands involved Mang Inasal, Red Ribbon,
Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express. Unauthorized
access to JFC’s "data lake" resulted in the exposure of sensitive data such as birth
dates, senior citizen ID numbers, and JFC’s employee data. This compromised
information might significantly increase the risk of identity theft and fraud.
Cybercriminals could exploit this information for malicious activities, such as
impersonating individuals to gain unauthorized access to financial accounts, apply for
loans, or commit other fraudulent transactions.

Attacker’s Profile

As of October 2024, there is no publicly available specific information regarding

the identity of the individuals or groups responsible for the data breach that affected
Jollibee Foods Corporation. However, the Philippine National Privacy Commission
(NPC) believed that an international syndicate could be behind the massive data breach
that hit fast food giant Jollibee. NPC Compliance and Monitoring Division chief Rainier
Anthony Millanes suspects that the Jollibee data leak could be tied to a series of
cyberattacks that affected 165 companies worldwide. He also believes that the
syndicate aims to obtain data from these firms. Atty. Millanes also mentioned in his
interview that the attacker used the same cloud database provider that is also involved
in a string of data breaches worldwide (SUNDY LOCUS, GMA Integrated News &
SUNDY LOCUS, GMA Integrated News, 2024).

Additionally, the cybersecurity advocacy group Deep Web Konek also released
information, revealing that a user known as "Sp1d3r" on a cybercrime forum claimed to
have 32 million customers' personal data and 650 million records related to the
company's food delivery operations. Millanes said that Alias ‘Spider’ is an alleged
cybercriminal who leaked the data breach to a dark website and is believed to be a
member of an international group of hackers (SUNDY LOCUS, GMA Integrated News &
SUNDY LOCUS, GMA Integrated News, 2024). According to reports, the records
contain private client data such as names, addresses, phone numbers, and email
addresses. Atty. Millanes added that the Complaints and Investigations Division is
investigating these incidents and trying to identify an alias Spider.

Firm’s Vulnerabilities

Based on several attacks of data breaches in different food service companies,

observations in terms of cybersecurity measures have been identified—the incidents
reveal common aspects of insufficient security measures, inadequate employee
training, and poor communication during data breaches, contributing to the vulnerability
of sensitive data in the food service industry. Companies must prioritize data security as
there is so much personal information stored in the systems to maintain customer trust
and business reputation while ensuring compliance with data protection regulations.

Vulnerabilities: Why Is the Food Industry Under Attack?

The personal information stored in the system of the food industry may be one of
the causes of a data breach. On the other side, the food manufacturing industry is just
at the starting point to be digitized (TXOne Networks, 2024). Meaning, many companies
still rely on outdated IT systems that lack proper security measures.

The food industry faces a high risk of account takeover attacks, with a reported
attack rate of 20%, significantly higher than the average rate of 2.5% across all
industries (Yahoo). The study provided key reasons why the food sector is particularly
vulnerable to these cyber threats, including the Jollibee:

 Online loyalty programs

- The loyalty programs allow customers to earn rewards that can be taken
by hackers who take over accounts and redeem points or rewards, which
affects financial losses for the company and its customers. The points or
rewards must be checked to ensure that they are only available to the
user itself.

 Ordering and Delivery Services

- Food ordering and delivery apps have been convenient for customers in
terms of online services. However, many of these platforms do not
prioritize advanced and proper cybersecurity measures; thus, payment
information and personal data are exposed to data breaches. The users
must regularly

 Frequency of Use

- Food industry apps or systems are frequently used, and hackers will find it
easier to hide and conceal unauthorized transactions from the hacker’s
 activity. The user must regularly monitor the activities to ensure the
accuracy of the transaction.

 Storage of Personal Details:

- The personal information of the customers collected by the companies

when subscribing to newsletters or promotional offers boosts marketing
and advertising but also can be compromised by other parties or sources.
The company must implement tight supervision of the personal
information of the customers to prevent breaches.

 Use of New Technologies:

- Technological platform technologies are urged to be used; however, the

lack of awareness of these methodologies leads to security incidents. The
company should acquire knowledge and skills in applying technologies to
their system.

 The Cost of Downtime:

- The food industry must be continuous in its operation to prevent

ransomware attacks. The company must oversee the nature process of
the business in order to properly manage its function.

Each of these vulnerabilities has a huge contribution to the threat of data breach
that may arise, such as in the case of the service chain AT&T Data Breach provided by
Sangfor Technologies (2024) that has affected 73 million customers, also affecting its
clients. With this, it is just factual to implement safety measures to prevent and mitigate
these causes.

Countermeasures

Countermeasures: How Can Restaurants Prevent Cyber-Attacks?

While there are no specific countermeasures mentioned and taken by Jollibee from the
attack of data breach due to security approach, Sangfor Technologies (2024) had based
on Federal Trade Commission which proposed ways to protect accounts specifically in
food service company.

 Creating Stronger Passwords

- Strong passwords are encouraged to protect the account from

unauthorized access. They must be long and hard or complex to
prevent hackers from getting into the system.

 Limit Access Control

- Only those authorized users must have the ability to control the
system.

 Use Reliable and Advanced AI

- In the digitalized world, technologies help strengthen security

measures and defense (e.g., Sangfor Technology).

 Update Software

- Software is the main mechanism of systems; updating and monitoring

properly the system must be implemented.

 Educate Your Workforce

- Training and awareness of security incidents such as phishing scams,

social engineering attacks, etc., should be educated.

 Draw Response Plan

- Create a response plan for the continuous operation of the company

and the backups of data.

With the implementation of these measures, food service companies can greatly
reduce their vulnerability to data breach and ensure better protection for both their
customers and clients.

Possible Solutions to Prevent Future Attacks

Insert here :>
 REFERENCES

ANC 24/7. (2024, June 26). NPC suspects international syndicate behind Jollibee data
breach | ANC [Video]. YouTube. https://www.youtube.com/watch?v=f5zU4Yq_LA0
CEDTyClea. (2024, June 24). Jollibee reports data breach affecting 11 million
customers — NPC. BusinessWorld Online.
https://www.bworldonline.com/corporate/2024/06/25/603920/jollibee-reports-data-
breach-affecting-11-million-customers-npc/
Jollibee. (2024, September 20). JFC History and Milestones | Jollibee Foods Corp |
Jollibee Group. JFC I Jollibee Foods Corporation I Jollibee Group.
https://jollibeegroup.com/history-milestones/
Ronda, R. A. (2024, June 24). Jollibee data breach may affect almost 11 million
customers. Philstar.com.
https://www.philstar.com/headlines/2024/06/25/2365363/jollibee-data-breach-may-
affect-almost-11-million-customers
SUNDY LOCUS,GMA Integrated News & SUNDY LOCUS, GMA Integrated News.
(2024, June 26). NPC: Jollibee Group data breach may be part of ransomware
attacks on 165 companies. GMA News Online.
https://www.gmanetwork.com/news/money/companies/911337/npc-jollibee-group-
data-breach-may-be-among-global-ransomware-attacks/story/
Technologies, S. (2024, July 8). Jollibee data breach in the Philippines affected 11
million customers. Sangfor Technologies.
https://www.sangfor.com/blog/cybersecurity/jollibee-data-breach-philippines-affected-
11-million-customers
TXOne Networks. (2024, Jun 27). Understanding Cyber Threats in the Food
Manufacturing Industry. https://www.txone.com/blog/understanding-cyber-threats-in-
food-manufacturing-industry/#:~:text=But%20why%20is%20the%20food,to%20find
%20a%20way%20in.
 PEER EVALUATION FORM
Group Members M1 M2 M3 Total
M1. Añonuevo, Ian Jay
M2. Gamboa, Jerick D.
M3. Suarilla, Charline B.