Love, Bonito customers' data breached, credit card details exposed, watchdog investigating

SINGAPORE - Singapore's privacy watchdog is investigating a data breach involving home-grown fashion label Love, Bonito, after it reported that its online users' data had been compromised.

On Friday (Dec 13), the retailer, which has three stores in Singapore, sent an e-mail to its online customers telling them that the data breach had been confirmed on Tuesday and a malicious code had been added to its e-commerce website.

The malicious code has since been removed.

In the e-mail, Love, Bonito's co-founder Rachel Lim said that based on the company's investigations, some of its customers' personal information may have been exposed, including credit card numbers, expiry dates and CVVs, full names, shipping addresses, order details and phone numbers.

The e-mail did not say how many people were affected by the breach.

Responding to queries from The Straits Times about how it was alerted to the breach, a company spokesman apologised and said that a "small number" of its customers, were affected.

The spokesman later added: "We can confirm that based on Love, Bonito's investigations, approximately 3 per cent of its customers may have had their personal information exposed.

"Out of which, a small number may have had their financial data accessed."

The company was founded in 2010 and has offices in Malaysia and Indonesia. It is not known how many registered online users it has.

The spokesman said: "We took immediate actions to remove the malicious code and further steps to secure our systems. The relevant authorities have been notified, and we are working closely with them and our security vendors to investigate and resolve this matter.

"As the incident is currently under investigation, no further details can be provided."

In response to queries from ST, a spokesman for the Personal Data Protection Commission (PDPC) said that it has been notified of the incident and investigations are ongoing.

According to Miss Lim, her company has engaged a data security expert to conduct a forensic investigation of the incident and to review, audit and enhance its security controls and processes.

In addition to informing the PDPC, she said it has reported the incident to the police.

Love, Bonito is also working with "relevant vendors" to investigate and resolve this matter, but it did not specify who these vendors are.

Miss Lim advised Love, Bonito customers to check their payment card or personal account statements for unauthorised charges and report such charges promptly to their banks.

She also told customers to ensure that two-factor authentication (2FA) has been set up for their credit cards and to notify their bank of any unusual incidents immediately, as well as to request for a credit card replacement.

This article was first published in The Straits Times. Permission required for reproduction.