ShopBack fined S$74,400 over leak of more than 1.4 million customers’ personal data

1.45 MILLION USERS’ EMAIL ADDRESSES LEAKED

On Sep 9, 2020, a malicious threat actor accessed ShopBack’s AWS environment using the key and exfiltrated data from the customer storage servers.

These included the email addresses of about 1.45 million users; 840,000 names; 450,000 mobile numbers; 140,000 addresses, 10,000 National Registration Identity Card numbers; and 300,000 bank account numbers.

The partial credit card information of about 380,000 users was also stolen. The details included partial credit card numbers, month and year of expiry, and the issuing bank.

A week later during a routine security review, Shopback discovered what had happened. It then engaged a private forensic expert for further investigations.

The PDPC noted that ShopBack put immediate remedial measures in place, such as reversing all changes made by the hacker and triggering a forced logout and password reset of all customers’ accounts.

To prevent the incident from happening again, it also stepped up monitoring of logs to ensure any unauthorised access would be detected, among other measures.

PDPC found that ShopBack lacked sufficiently robust processes to manage its AWS keys. It rejected ShopBack’s argument that the compromise of the key arose from human error, not from any systemic issue with its security practices.

PDPC reiterated a previous judgment that an organisation cannot place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data.

ShopBack also failed to conduct periodic security reviews, which could have detected whether the AWS keys had been properly rotated or deleted, said PDPC.

After the discovery of the incident, ShopBack took 15 days to conduct a key rotation. PDPC said it should review its processes to determine if this amount of time was reasonable to deal with the compromise of an access key with full administrative privileges.

In determining what financial penalty to impose, PDPC considered the “long period” in which the key was exposed for, but noted that it took prompt remedial actions and acknowledged its failure.

In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.