ShopBack fined S$74,400 over leak of more than 1.4 million customers’ personal data
SINGAPORE: Homegrown online cashback portal ShopBack has been fined S$74,400 (US$54,600) by Singapore’s data privacy watchdog over a data leak that affected more than a million of its customers.
The company’s customer database was put up for sale on an online forum in 2020, said the Personal Data Protection Commission (PDPC) in a written judgment released on Wednesday (16 Aug 2023).
This personal data included email addresses, names, mobile numbers, bank account numbers and partial credit card information.
Hackers had entered ShopBack’s servers and extracted the data using an access key with full administrative privileges, which remained in a private repository on the GitHub platform for 15 months.
ShopBack, also known by its legal name Ecommerce Enablers Pte Ltd, offers cashback for purchases made through affiliated merchant programmes. It also provides coupons and voucher codes for customers.
ShopBack first notified the PDPC and its customers of an incident involving unauthorised access to its customer data servers on Sep 25, 2020. PDPC then received two complaints from customers.
On Nov 12 that year, ShopBack’s customer database was subsequently offered for sale on Raidforums, an online cybersecurity forum commonly used to trade and sell stolen databases. Its domain name and content have since been seized by US authorities.
At the time of the breach, ShopBack hosted the database on virtual servers in an Amazon Web Services (AWS) cloud environment.
It employed a 12-person site reliability engineering team, which used an AWS access key with full administrative privileges for work purposes.
On Jun 4, 2019, the key was inadvertently committed to software code in a private repository on GitHub by a senior member of the team.
While another team member discovered what happened two days later and the key was removed from GitHub, it remained viewable in GitHub’s “commit history”, which records all changes and previous versions of code uploaded there.
GitHub is a platform and cloud-based service that allows developers to store and manage their code, as well as collaborate on projects.
Later that same month, another team member failed to fully disable and remove the key after creating a replacement one.
Because of that, the key could be used to access ShopBack’s customer storage servers until about 15 months later.
1.45 MILLION USERS’ EMAIL ADDRESSES LEAKED
On Sep 9, 2020, a malicious threat actor accessed ShopBack’s AWS environment using the key and exfiltrated data from the customer storage servers.
These included the email addresses of about 1.45 million users; 840,000 names; 450,000 mobile numbers; 140,000 addresses, 10,000 National Registration Identity Card numbers; and 300,000 bank account numbers.
The partial credit card information of about 380,000 users was also stolen. The details included partial credit card numbers, month and year of expiry, and the issuing bank.
A week later during a routine security review, Shopback discovered what had happened. It then engaged a private forensic expert for further investigations.
The PDPC noted that ShopBack put immediate remedial measures in place, such as reversing all changes made by the hacker and triggering a forced logout and password reset of all customers’ accounts.
To prevent the incident from happening again, it also stepped up monitoring of logs to ensure any unauthorised access would be detected, among other measures.
PDPC found that ShopBack lacked sufficiently robust processes to manage its AWS keys. It rejected ShopBack’s argument that the compromise of the key arose from human error, not from any systemic issue with its security practices.
PDPC reiterated a previous judgment that an organisation cannot place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data.
ShopBack also failed to conduct periodic security reviews, which could have detected whether the AWS keys had been properly rotated or deleted, said PDPC.
After the discovery of the incident, ShopBack took 15 days to conduct a key rotation. PDPC said it should review its processes to determine if this amount of time was reasonable to deal with the compromise of an access key with full administrative privileges.
In determining what financial penalty to impose, PDPC considered the “long period” in which the key was exposed for, but noted that it took prompt remedial actions and acknowledged its failure.
In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.
A ShopBack spokesperson told CNA that it fully respects the PDPC’s decision, and that the security of its systems and users’ data “remains of utmost importance to us”.
“Over the past three years, ShopBack has made significant enhancements to our security protocols and systems, and has been recognised by the Cyber Security Agency of Singapore for our good security practices since October 2022,” the spokesperson added.
“We would like to thank our customers and merchant partners for their continued support. Security is a continuous endeavour, and ShopBack commits to playing an active role in safeguarding our data and systems.”