Statement of the Privacy Commissioner Raymund Enriquez Liboro on the possible personal data breach sustained by COL Financial Group, Inc.

October 23, 2017 | 9:23 AM UTC Last Edit: October 23, 2017

The National Privacy Commission has received a notification at 3:30 in the afternoon of October 20, 2017, Friday, from COL Financial Group, Inc. of a potential data breach to its system.


We note that this notification has adhered to standard breach reporting protocols set forth in NPC Circular 16-03, on Personal Data Breach Management.


In the notification, the company said that “sometime in the afternoon of 17 October 2017” it detected “a possible breach” in its system that “may involve some personal client information”.


The company has assured the NPC that it has taken immediate measures to address the incident, creating a response team to look into the “likelihood of the threat and probable extent of a data breach, if any.”


Attached to the notification is a preliminary report giving additional details of what its breach response team has done as of Friday. The company said it ran an initial vulnerability scan of its website, the result of which was “favorable”. It also mentioned the company hiring a third party group to perform an independent security and vulnerability check of the system.


At present, the COL Financial has been upfront and transparent in handling this incident. This includes notification to the NPC and the affected data subjects within 72 hours upon knowledge or reasonable belief that a breach has occurred.


The Commission shall be expecting to receive from COL Financial a full report on the incident within five days. This will aid us to more accurately investigate the incident and decide on our further course of action.


We are assuring the public especially the clients of COL Financial Group , Inc. that the NPC is monitoring this incident and shall be issuing new information to all concerned as soon as they become available.