Club 21 computer servers breached, members' personal info compromised

In an electronic mailer to its members on Monday (02/06), the company said that the May 19 attack on its computer servers resulted in "unauthorised access to data that included some customer information".

Get the full story from The Straits Times.

Club 21's investigations revealed that the customer information affected primarily comprised of customers who had signed up for the Club 21 Loyalty Programme in Singapore prior to October 1, 2009.

Club 21 relaunched its membership programme in 2009, and all membership card numbers were changed then.

Data such as contact information and NRIC/Passport numbers may have been affected. However, details such as credit card information and account passwords/PINs were not affected.

The company is also working with an external computer forensics firm to conduct a thorough investigation of this criminal act.

Here is a statement on Club 21's website:

On May 19 2014, Club 21 learnt of an illegal attack on one of our computer servers, resulting in unauthorised access to data that included some customer information. Upon discovery of this attack, we promptly reported the incident to the Singapore Police Force. We also immediately triggered our incident response process. The break-in point was swiftly identified and closed; access to the data was removed. We have launched a comprehensive review of the security on all our systems to prevent further recurrences.

Investigations to date show that the customer information involved in this attack primarily consisted of partial data of customers who had signed up for the Club 21 Loyalty Programme in Singapore prior to October 1, 2009.

Our ongoing investigations show that the attack may have affected some personal information you might have provided to us, such as obsolete membership card number, name, gender, NRIC/Passport number and date of birth, as well as address, telephone number and email address. In a few limited cases, income range and past sales data were also affected. Much of this was partial in nature.

Based on our investigations to date, we would also like to reassure you that:

- Credit cards were not compromised;
- All current membership data is in a separate unaffected server;
- Member passwords were not affected;
- The attack did not affect the company's e-commerce sites;
- The Facebook credentials of friends connected to Club 21's social media platforms via Facebook Connect were not compromised.

In the interests of keeping our members updated, we have taken steps to notify them by email, whether or not they were affected. We are pursuing other means of communication, such as telephone and postal mail, for those without email addresses. Current members can be reassured that their current data is in a separate system that was not affected. Customers or members with further questions may contact us by email at privacy2014@club21global.com.

Club 21 and the Singapore authorities treat such attacks seriously and we are working actively with the Technology Crime Division of the Police and an external computer forensics firm to conduct a thorough investigation of this criminal act.

While the matter is under investigation by the Police, we would like to advise vigilance over your personal data, employing good practices such as never using constructs of personal data, like Date of Birth, for passwords.

We are sorry this incident occurred. We value the trust you have placed in us by providing your personal information so that we may serve you better. For over forty years, our top priority has been to deliver exceptional customer service. This commitment is driving us to do everything possible to address this incident and to prevent this from happening again.