Online broker told to submit report
The government’s privacy watchdog has ordered COL Financial to submit a comprehensive report on the feared hacking of the firm’s database of its 225,000 clients.
National Privacy Commission (NPC) chief Raymund Enriquez Liboro, in a statement on Sunday, said that the order was issued to aid in the probe of the data breach and determine its next course of action.
Liboro said that COL Financial, the country’s largest online stock brokerage firm, was “hiring a third-party group to perform an independent security and vulnerability check of the system.”
He said that NPC gave COL Financial five days to submit its report on the potential hacking.
“The public may rest assured that the NPC is monitoring this incident 24/7 in fulfillment of its mandate as watchdog for the protection of the data privacy rights of every individual who may possibly be affected,” he said.
At the same time, the NPC commended COL Financial for its timely action on the data breach, including notifying authorities, as mandated by law, about the incident within three days of its discovery.
Liboro said that NPC was informed at 3:30 p.m. on Friday about the potential data breach to its system which was initially detected in the afternoon of Oct. 17.
“We are glad to note that this notification has adhered to standard breach reporting protocols set forth in NPC Circular 16-03, on personal data breach management,” he said.
“The company has assured the NPC that it has taken immediate measures to address the incident, creating a special team to look into the ‘likelihood of the threat and probable extent of a data breach, if any.’”
The NPC said that COL Financial also submitted a preliminary report giving additional details of what their breach response team had done as of Friday.
The company said that it ran an initial vulnerability scan of its website, the result of which was “favorable.”
“We commend COL Financial for following the NPC’s breach management guidelines, which oblige a Personal Information Controller or Personal Information Processor to be upfront and transparent in handling a personal data breach,” Liboro said.
“This includes sending a preliminary notification to the NPC and the affected data subjects within 72 hours upon knowledge or reasonable belief that a breach has occurred,” he added.
COL Financial president and CEO Dino Bate earlier told the Inquirer that none of 225,000 clients’ accounts and portfolios were affected.
“We assure our clients that their stock positions and portfolios are unaffected,” he said. “They will be able to trade normally on Monday.”
The company was still investigating what particular information was stolen or illegally accessed by the suspected hackers, but Bate stressed there were “no unauthorized withdrawals from client’s accounts.”
Bate wrote an e-mail to its clients on Friday informing them the company had taken “action to further strengthen the security of our systems.” —With a report from Roy Stephen C. Canivel
