Singaporean data privacy watchdog Personal Data Protection Commission is currently investigating a breach involving the cashback app ShopBack after the company revealed “an incident involving unauthorized access” incident, said The Strait Times.
The e-commerce cashback platform sent out an email to clients last week, the breach targeted its “systems which contained [its] customers’ personal data.” The email was sent as the company was “currently confirming which data has been compromised.”
The company’s FAQ page revealed that the breach was discovered on September 17, 2020. Customer details that have been accessed included email addresses, alternative login IDs, and limited transactional information.
This includes name, contact information, gender, date of birth, and bank account numbers. The last item applies only to those who have cashed out to their bank accounts.
The firm assured clients that this does not enable malicious parties to directly access bank accounts. However, customers are reminded to be mindful of phishing attempts.
On the day the Customer Notice was sent, the company emphasized, “We have no reason to believe that any of your personal data has been misused, however, the possibility still exists.” Furthermore, it assures clients that their cashback balance and unused vouchers are safe.
To quell concerns regarding financial credentials, the firm clarified that it does not collect credit card details. The Strait Times also quoted the not email saying that it does not store customers’ 16-digit card numbers or CVVs on any of its systems.
The firm assured customers that it took immediate action after it removed the unauthorized access after becoming aware of the issue. The company is also investigating the matter and are working with cybersecurity specialists for assessments.
According to the email, the experts will be assessing the extent of the incident. They are also collaborating to improve the platform’s security system. Moreover, the company is working with the private agencies of countries where it operates.
Clients are also assured that the accounts are encrypted, but were also encouraged to change their passwords for additional precautionary measures. The notice also reminded customers not to use the same passwords on more than one platform.
As of writing, the company’s FAQ page told clients to report suspicious emails, stay vigilant, and get in touch with their customer care service for reports or any suspicious activities involving their ShopBack accounts.
Meanwhile, the Personal Data Protection Commission confirms that it has been informed of the matter and is conducting investigations.