Chicha San Chen, Jollibee Data Breaches Highlight Increasing Risks, Need for Zero-Trust Identity Access, Better Partners

They are coming for you.

Cybercriminals are relentless, and if history tells us anything, it’s that they can get to you. They can probably get to anyone.

They seemed particularly prolific this past June, breaching well-known food brands in both the Philippines and Singapore and compromising the data of millions of customers. These high-profile incidents underscore an increasingly dangerous threat landscape where no organisation is safe from the increasingly sophisticated machinations of emboldened attackers.

Not Too Jolly at Jollibee After Stinging Breach

Multinational Filipino fast-food giant Jollibee reported to the National Privacy Commission (NPC) on 22 June 2024 a suspected data breach affecting approximately 11 million customers after someone purportedly accessed the company’s data lake without proper authorisation. This centralised repository houses all data collected by Jollibee and its associated brands—Mang Inasal, Red Ribbon, Chowking, Greenwich, Burger King, Yoshinoya, and Panda Express.

“Sensitive personal information, including dates of birth and senior ID numbers, has been compromised. Approximately 11 million data subjects are affected, the majority of whom are Jollibee customers,” said Roren Marie Chin, Chief of Public Information and Assistance Division at NPC, in a statement to the press.

Jollibee has assured its customers and stakeholders that it “is addressing the incident,” stating in a disclosure to the Philippine Stock Exchange that it “has implemented its response protocols and deployed enhanced security measures to further protect the company’s and its subsidiaries’ data against threats.”

“JFC (Jollibee Food Corporation) recognises the value and importance of the confidentiality of the personal information of its stakeholders,” Jollibee added. “The company assures the public of its commitment to prioritise the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defences against future threats.”

It is damage control time for JFC, and it has to start by getting to the bottom of this incident and doing something concrete about it.

“It is important to remember that no company is safe from cyber attacks in light of the recent Jollibee group data leak,” said Kelvin Lim, Senior Director, Security Engineering, at Synopsys Software Integrity Group, in an email to Cyber Security Asia (CSA). “Given the damage caused by the attack, Jollibee will need to conduct a comprehensive investigation, put in place extra security measures, and advise customers of the measures taken to prevent such attacks in the future in order to win back their trust.”

Boba, We’ve Been Breached!

Just days before the Jollibee breach was reported, a similar incident happened in Singapore, this time involving YKGI, the parent company and operator of several food and beverage outlets, including a widely popular bubble tea chain Chicha San Chen.

In a filing to the Singapore Exchange Securities, YKGI admitted that it had “recently encountered a cybersecurity incident” in its Customer Relationship Management (CRM) system, which the company said is operated by an external vendor. YKGI further stated that an unknown party “gained unauthorised access to one of the vendor’s shared servers which resulted in an unauthorised access to the Chicha San Chen membership database stored on the shared server.”

For Patrick Tiquet, VP of Security and Compliance at Keeper Security, relying on a third-party vendor was problematic.

“There is an additional risk any time a company outsources and entrusts sensitive information to third-party providers,” Tiquet told CSA via email. “When an organisation does not own and operate the infrastructure that holds these resources, it not only lacks control but also has reduced visibility in the event of a significant cyber incident. When choosing products and services, organisations are putting their trust in another organisation to handle their sensitive data with the utmost security.”

This incident prompted YKGI to email their customers about the incident and assure them their credit card information was never stored in any system to begin with. Nevertheless, the company recommended that its customers change their login details and passwords while also owning up to the breach and promising to do better moving forward.

YKGI’s recommendations to customers are well warranted, Tiquet pointed out.

“In cases where personal information is stolen, the impacts of a data breach are felt long after it’s been discovered and contained. Those impacted in this breach should take proactive steps to protect themselves from cybercriminals who may aim to use their personal information for identity theft and targeted attacks,” he added. “With the breach compromising login credentials—along with names, mobile numbers, and email addresses—users should immediately prioritise changing their passwords for Chicha San Chen, as well as any other websites that use the same password or a version of that password.”

The Familiar Culprit That Is Unauthorised Access

A common thread ties these two high-profile breaches: Both were caused by some form of unauthorised access, at least according to YKGI’s and JFC’s initial statements. It shouldn’t be a surprise anymore, as unauthorised access—whether intentional or inadvertent—is among the leading causes of data breaches and cyber incidents worldwide.

The much-publicised Uber data breach in 2023, for instance, was eerily similar to YKGI’s case, with driver data kept by the former compromised by miscreants who illicitly accessed the IT system of Genova Burns, Uber’s partner law firm. Closer to home, infotech giant NCS saw 180 of its virtual servers deleted by a fired disgruntled employee, Kandula Nagaraju, who accomplished his act of vengeance by accessing the firm’s computer systems using the same credentials accorded to him as an employee. This “human oversight” in failing to terminate Nagaraju’s access ultimately cost NCS SGD $917,832.

These high-profile cyber incidents highlight the criticality of preventing unauthorised access, which you can do by augmenting your existing cybersecurity architecture with zero trust, least-privilege access, and Role-Based Access Controls (RBAC), among others, according to Tiquet.

A backbone of zero trust is Identity Access Management (IAM), a framework of policies and technologies to ensure that the right people have the right access to the right resources at the right time. It is a cybersecurity paradigm that necessitates the use of various technologies, including authentication mechanisms (passwords and biometric data), and RBAC.

“Everyone and everything that connects to the Internet has an identity that must be confirmed and permissions that have to be assessed before any access is granted to any resource,” David Hope, Senior Vice President, Asia Pacific & Japan, at ForgeRock, told CSA in an exclusive last year. “The job of verifying these identities, which can be in the millions, is best handled by a comprehensive IAM platform that is both fast and scalable to make smart access decisions even during traffic surges.”

The goal, ultimately, is to control who gets to access what to minimise intrusions and unauthorised entry to the organisation’s IT systems (which is essentially akin to handing over the keys to the kingdom).

Buyer Beware: Find a Third-Party You Can Trust

Sometimes, though, a company’s best efforts in cybersecurity can be undone by a sloppy, unreliable third-party vendor—as was the case with YKGI, whose CRM provider appears to be the weak link. This is why Adam Brown, Managing Consultant at Synopsys Software Integrity Group, advises organisations to be wary of the vendors and suppliers they work with.

“Many data breaches suffered by firms are down to external companies’ failings due to lack of a mature software security initiative. Firms that embrace software security reduce their risk of breach by having robust software practices and security controls in place to prevent these kinds of breaches. However, if their suppliers do not commit to similar policies the risk of breach remains,” he told CSA. “It’s so important that we scrutinise suppliers’ practices on security, since ‘trusted partners’ are just that; we must know that their security practices are as good or better than our own.”

Abhishek Kumar Singh, Head of Security Engineering at Check Point Software Technologies, pointed out in his assessment of the Chicha San Chen breach, essentially putting the onus on YKGI’s CRM provider.

“This incident at Chicha Sen Chen involved unauthorised access to a vendor’s shared server, highlighting the vendor’s responsibility to secure the application and platform, ensure compliance, and maintain physical security,” Singh pointed out to CSA in an exclusive commentary of the incident. “We are seeing more and more of such attacks due to third-party breaches.”

The solution in this case is painfully obvious: Choose better partners, those with better, more robust security.

“Businesses in the industry need to focus on reducing risks from vendors and supply chains to strengthen their cybersecurity. They should also thoroughly vet third-party vendors to ensure they follow strict cybersecurity rules and create clear contracts specifying vendors’ cybersecurity responsibilities, including regular security checks,” Singh said.

A Final Word

History also tells us cyber attacks aren’t stopping anytime soon. Cybercriminals are relentless that way, and they can get to you. All it takes is just one slip-up—a compromised employee, a weak password, a sloppy third-party business partner, or an exposed endpoint.

It is why you must go through all this “trouble”—fortifying your defences, training your staff in cyber hygiene, and vetting business partners—so you can minimise your risk of getting attacked.

And yes, cybercriminals can get to you. They just got Jollibee and Chicha San Chen.