Poh Heng Jewellery hit by data breach, customers’ personal information may have been compromised

“Upon discovery, we took prompt action to secure our system and have since reported the incident to the Personal Data Protection Commission (PDPC) and Singapore Police Force (SPF),” said Mr Chin.

“We have also confirmed that no passwords and payment information were leaked.”

When asked why the affected users were not notified upon discovery of the breach, Mr Chin told CNA the immediate priority then was to secure the company’s database and to ensure that there was no further compromise of data and its platforms.

“We also needed time to consolidate findings to report to PDPC and SPF to support and facilitate their investigations.

“While this may have taken time, it allowed us to better communicate steps taken to contain and resolve the situation to our affected members.”

A check by CNA on Saturday afternoon found that Poh Heng’s website was down with a posted notice: “We are upgrading our website to serve you better.”

In a letter that was posted on Reddit and sent to customers, Poh Heng’s Group CEO Eugene Goh said the unauthorised party accessed the personal data of customers. This may have included names, telephone numbers, email and residential addresses, member IDs, as well as the date of birth and country of residence.

“Please be assured that we do not store any financial information in your transaction with Poh Heng,” read the letter. “There is also no evidence to suggest that user passwords have been accessed.”

However, customers were advised to “closely monitor” their accounts with any organisation for any “suspicious or unusual activity”.

“We recommend that you remain vigilant against phishing attempts, especially with regard to clicking on links that may direct you to malicious websites where your passwords or other personal information may be requested”.

Poh Heng also told CNA it is currently working with relevant teams and experts to investigate the incident.