Data of over 40,000 Goldheart customers leaked on Dark Web, hacking forums

SINGAPORE — Hackers have leaked a database they claim contains the personal details of more than 40,000 customers of local jewellery chain Goldheart.

The database was shared on hacking forums and the Dark Web around May 20 and appears to contain the records of those who signed up for an online account with Goldheart from 2015 to 2022.

Checks by The Straits Times found that the database contained names, addresses, phone numbers, e-mail addresses and users' dates of birth.

All of the database's user entries, which numbered over 40,000, had e-mail addresses and birth dates.

In the posts sharing the database, hackers claimed it contained the details of 42,000 Goldheart customers.

However, ST found that less than 4,000 of the entries contained phone numbers and addresses.

Several hundred entries also appeared to be fake and contained spam messages.

In response to queries from ST, the Personal Data Protection Commission (PDPC) said it will be investigating.

A spokesman said: "PDPC is aware of the case. We have reached out to Goldheart for more information and will be investigating."

Goldheart is a subsidiary of jewellery retailer Aspial, which also owns Lee Hwa Jewellery and pawnbroker Maxi-Cash.

According to its Facebook page, Goldheart is one of the largest local jewellery chains here, with more than 20 boutiques.

ST has contacted Goldheart for comment.

It was reported earlier in May that the PDPC ordered the Law Society to plug security gaps after a ransomware attack compromised the information of 16,009 members in 2021.

PDPC's investigation also uncovered poor password practices for an IT administrator account, which had "Welcome2020lawsoc" as its password.

The PDPC separately also fined online furniture store FortyTwo $8,000 for a data breach in 2021.

The breach resulted in the leak of personal particulars belonging to 6,339 customers, including credit card details of 98 customers.

In another judgment, Kingsforce Management Services was found to have breached its obligation to protect personal data after its database of 54,900 job seekers was compromised and sold on a hacking forum in December 2021.

External cyber-security investigators identified outdated website coding technology as the cause of the incident, and the PDPC ordered the firm to ensure that regular patching, updates and upgrades take place for all software and firmware supporting its website and application.

ALSO READ: Carousell data breach: Info from 2.6 million accounts allegedly sold on Dark Web, hacking forums

This article was first published in The Straits Times. Permission required for reproduction.