Data privacy securer National Privacy Commission (NPC) has ordered online lending application Familyhan Credit Corporation to delist the names of its 6,000 borrowers and delete them in its database, following a cease-and-desist order (CDO) that the commission recently imposed due to alleged violation of the Data Privacy Act (DPA) of 2012.
In a statement on Monday, the NPC revealed that it ordered Familyhan to stop processing the personal data of those lenders to prevent more people from gaining unlawful access to it, pending NPC’s ongoing investigation.
According to the NPC, the database contains sensitive information of the lending’s customers, including names, passport numbers, email addresses, current addresses of borrowers based in Hong Kong and Singapore and residential addresses of borrowers in the Philippines.
The NPC further noted that the orders were imposed through a CDO lodged by the agency on 15 January to the lender’s headquarters in Lipa City in Batangas, and to the personal addresses of Familyhan’s board members, identified as May Reyes, Voltaire Villafuerte, Jessa Rene Villafuerte, Acer John Angeles and Maureen Atienza.
Based on NPC’s complaints and its independent investigation, there was a “sufficient ground” to support that Familyhan violated Section 26 of the DPA for providing unauthorized access to personal and sensitive personal information due to negligence, subject to additional penalties for concealment of security breaches.
“The report of NPC’s Complaints and Investigation Division finds that there is reason to believe that Familyhan should have known or had a reasonable belief that a security breach of their borrowers’ personal information occurred, that it has not made the required notification, that there is evidence to support a finding of possible negligence for failure to secure the database and prevent unauthorized access, and that it has not registered with this Commission, despite meeting the criteria for mandatory registration,” the CDO stated.
As of 18 January, the database remained to be accessible online, making the matter all the more urgent to be acted on by the commission.
Familyhan and the responsible officers are given 10 days to file a comment on the CDO, and if will not send affidavit, the NPC’s Enforcement Division will explore enforcement actions, which may include, but not limited to, suas sponte investigations and criminal prosecution at the Department of Justice.
To recall, the NPC, in a released Circular 20-01 in October 2019, has ordered 26 lending applications, namely Cash bus, Cash flyer, Cash warm, Cashafin, Cashaku, Cashope, Cashwhale, Credit peso, Flash Cash, JK Quickcash lending, Light Credit, Loan motto, Moola Lending, One cash, Pautang peso, Pera express, Peso now, Peso tree, Peso.ph, Pesomine, Pinoy cash, Pinoy Peso, Qcash, Sell loan, SuperCash and Utang pesos, to halt harvesting data from its lenders used to shame delinquent borrowers.