Homegrown online cashback portal ShopBack has been fined S$74,400 (US$54,600) by Singapore’s data privacy watchdog over a data leak that affected more than a million of its customers.
The company’s customer database was put up for sale on an online forum in 2020, said the Personal Data Protection Commission (PDPC) in a written judgment released on Wednesday (Aug 16).
This personal data included email addresses, names, mobile numbers, bank account numbers and partial credit card information.
Hackers had entered ShopBack’s servers and extracted the data using an access key with full administrative privileges, which remained in a private repository on the GitHub platform for 15 months.
ShopBack, also known by its legal name Ecommerce Enablers Pte Ltd, offers cashback for purchases made through affiliated merchant programmes. It also provides coupons and voucher codes for customers.
ShopBack first notified the PDPC and its customers of an incident involving unauthorised access to its customer data servers on Sep 25, 2020. PDPC then received two complaints from customers.
On Nov 12 that year, ShopBack’s customer database was subsequently offered for sale on Raidforums, an online cybersecurity forum commonly used to trade and sell stolen databases. Its domain name and content have since been seized by US authorities.
On Sep 9, 2020, a malicious threat actor accessed ShopBack’s AWS environment using the key and exfiltrated data from the customer storage servers.
These included the email addresses of about 1.45 million users; 840,000 names; 450,000 mobile numbers; 140,000 addresses, 10,000 National Registration Identity Card numbers; and 300,000 bank account numbers.
The partial credit card information of about 380,000 users was also stolen. The details included partial credit card numbers, month and year of expiry, and the issuing bank.
