ShopBack fined over data leak that affected over 1.4 million users

SINGAPORE - E-commerce cashback platform ShopBack has been fined $74,400 by Singapore's data privacy watchdog for a data breach that affected over 1.4 million of its customers.

ShopBack's customer database was stolen by a hacker and put up for sale on an online forum in November 2020, the Personal Data Protection Commission (PDPC) said on Wednesday (Aug 16).

The leaked database contained personal information such as bank account numbers, partial credit card details, mobile numbers and e-mail addresses.

PDPC found that the hacker had likely found the key to the database after a ShopBack employee accidentally saved the key's software code in an online repository.

At the time of the incident, ShopBack hosted its customer database on virtual servers in an Amazon Web Services (AWS) cloud environment. It employed 12 people whose responsibilities included making sure that the keys to the servers were secure.

On June 4, 2019, a senior member of the team accidentally saved a key's software code in a private repository on GitHub, a platform that allows developers to store and manage their code. The key in question had full administrative privileges.

The error was discovered by a team member two days later and the key's code was removed from GitHub.

"However, it remained viewable in GitHub's 'commit history', which records all changes and previous versions of code uploaded on GitHub," said PDPC in its report.

On June 21 of that year, the key was to be deleted and replaced by a new key as part of routine security measures.

The same employee, however, failed to fully disable and remove the old key after creating a new one. As a result, the compromised key could still be used to access ShopBack's servers until about 15 months later.

On Sept 9, 2020, a hacker used the key to steal data from ShopBack's customer storage servers.

These included the e-mail addresses of about 1.4 million users, 840,000 names, 450,000 mobile numbers, 300,000 bank account numbers, and the partial credit card information of about 380,000 users.

During a routine security review about a week later, ShopBack discovered that its servers had been breached and hired a private forensic expert to investigate.

In its report, PDPC found that ShopBack had failed to ensure that its processes to manage the keys to its servers were sufficiently robust. It said: "(ShopBack) claimed that the compromise of the AWS key arose from human error, and not because of any systemic issue with its security practices.

"This position is not accepted... Organisations cannot place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data. There must be some process to ensure that the step required from the employee is taken, such as independent verification by another checker."

PDPC added that ShopBack also failed to conduct periodic security reviews, which could have detected whether the AWS keys had been properly rotated or deleted.

PDPC noted, however, that ShopBack took immediate steps to contain the data breach, such as by reversing all the changes made by the hacker and triggering a forced logout and password reset of all customer accounts.

To prevent the incident from happening again, ShopBack stepped up the monitoring of logs to ensure any unauthorised access would be detected.

In determining what financial penalty to impose, PDPC said it considered the "long period" of 15 months the key was exposed, but took into account that ShopBack had taken prompt remedial actions and acknowledged its failure.

From October 2022, the maximum amount that a company can be fined for a data breach is 10 per cent of its annual turnover in Singapore, or $1 million, whichever is higher.

Previously, organisations that violated the Personal Data Protection Act would face a financial penalty of up to $1 million.

A ShopBack spokesman said in response to queries from The Straits Times that the company fully respects PDPC's decision, and that the security of its systems and users' data "remains of utmost importance to us".

The spokesman added: "Over the past three years, ShopBack has made significant enhancements to our security protocols and systems and has been recognised by the Cyber Security Agency of Singapore for our good security practices since October 2022."

ALSO READ: Carousell data breach: Info from 2.6 million accounts allegedly sold on Dark Web, hacking forums

This article was first published in The Straits Times. Permission required for reproduction.