Privacy Commission orders lender Familyhan to take down list online of 6,000 borrowers

The National Privacy Commission (NPC) has ordered Familyhan Credit Corp. to immediately stop processing the personal data of more than 6,000 borrowers following an investigation of complaints that the online lender has put at risk the privacy of the data subjects in violation of the Data Privacy Act of 2012 (DPA).

The Commission also ordered Familyhan to immediately take down its master database online to prevent more people from gaining unauthorized access to it.

The database stores sensitive information of the lender’s customers -- names, passport numbers, email addresses, current addresses of borrowers based in Hong Kong and Singapore, and residential addresses of borrowers in the Philippines.

The orders were made through a Cease-and-Desist Order (CDO) the NPC sent on January 15 to the lender's headquarters in Lipa City in Batangas province.

The CDO was also sent to the personal addresses of the officers and board members of Familyhan, namely May Reyes, Voltaire Villafuerte, Jessa Rene Villafuerte, Acer John Angeles and Maureen Atienza.

Based on the complaints and on its independent investigation, the NPC said there was "sufficient ground" to support that Familyhan violated Section 26 of the DPA for providing unauthorized access to personal and sensitive personal information due to negligence.

Familyhan could also face additional penalties for concealment of security breaches.

The report of NPC’s Complaints and Investigation Division `finds that there is reason to believe that Familyhan should have known or had a reasonable belief that a security breach of their borrowers’ personal information occurred; that it has not made the required notification; that there is evidence to support a finding of possible negligence for failure to secure the database and prevent unauthorized access; and that it has not registered with this Commission, despite meeting the criteria for mandatory registration," the CDO read.

As of January 18, the database remained to be accessible online, making the matter all the more urgent to be acted on by the Commission.

Familyhan and the responsible officers are given 10 days to file a Comment on the CDO.

This is not the first time that the NPC has taken action against an online lender based on complaints it received.

In October 2019, the Commission ordered online lenders to take down 26 apps that they used in harvesting data to shame delinquent borrowers. The lenders were Cash bus, Cash flyer, Cash warm, Cashafin, Cashaku, Cashope, Cashwhale, Credit peso, Flash Cash, JK Quickcash lending, Light Credit, Loan motto, Moola Lending, One cash, Pautang peso, Pera express, Peso now, Peso tree,, Pesomine, Pinoy cash, Pinoy Peso, Qcash, Sell loan, SuperCash and Utang pesos.

In NPC Circular No. 20-01 it issued last year, the NPC barred online lenders from collecting borrowers’ phone and social media contact list amid mounting reports of harassment and shaming of users.

# # #