By Christian Brazil Bautista

Editor’s Note: The headline (a comma was changed to a semicolon) and the first to fourth paragraphs were revised to make it clear that the 10 incidents mentioned in the headline and the lead paragraph were personal data breaches and not cyber attacks.

PLDT fought off 10 personal data breaches in 2019, the company said in a regulatory filing submitted to the Securities and Exchange Commission in the United States.

READ PLDT’s response: PLDT: ‘Countermeasures in place to reinforce cybersecurity’

The personal data breaches, which merited disclosure to the National Privacy Commission and the users affected, included unauthorized access to call data records, supposedly inadvertent leaks of customer information by employees and glitches in the company’s website and mobile application that exposed customer details to unauthorized users.

The document, which was filed in April but has not yet been reported on, also disclosed the scale of the cybersecurity threat that the company is facing.

In 2019, the company’s Cyber Security Operations Group dealt with nearly 3,000 incidents. The incidents ranged from relatively innocuous threats such as spam emails, the use of unauthorized applications and failed log-in attempts of corporate credentials to more serious risks such as malware attacks, distributed denial of service (DDoS) attacks, network intrusion attempts and unauthorized access.

PLDT told US regulators the attacks did not disrupt its operations. However, it admitted that its defenses were becoming less of a deterrent against threats.

“Our existing deterrence measures against cyber security breaches are becoming less effective. For instance, defensible gates and impermeable walls that are designed to secure our service and information infrastructure have become less effective. While such tools and measures make it difficult to breach into our system, these tools do not stop breaches altogether,” the filing read.

In May, hacker group Anonymous Philippines hacked into the company’s Twitter account to post critical tweets about its service. After the attack, the company told customers that their data remained safe.

PLDT, whose American Depositary Receipts are listed on the New York Stock Exchange, did not respond to a request for comment.

READ PLDT’s response: PLDT: ‘Countermeasures in place to reinforce cybersecurity’


Christian Brazil Bautista has worked in both the United States and the Philippines, reporting and editing for The Real Deal, Digital Trends, Financial Times, Real Estate Weekly, Yahoo! Southeast Asia and Rappler.