Singapore retailer hit by data breach

The personal data of Singapore retailer OG’s basic and gold members was reportedly compromised in the latest data breach in the city-state.

In a statement to OG members last week, the retailer said a breached database containing personal data of the affected members had been stored and managed by an external third-party membership portal service provider.

The potentially compromised data include members’ names, mailing addresses, email addresses, phone numbers, genders, dates of birth, cryptographically hashed national identity card numbers, as well as cryptographically hashed passwords to the member accounts.

OG said the data breach was limited and confined to one isolated database on its members and do not affect any past or future purchases made at OG or at its online store.

Since becoming aware of the incident, OG has required its service provider to take immediate action to manage and remediate the breach, and to ensure the database is secure.

“The management of OG is now working closely with our consultants and the authorities to strengthen our safeguards, systems and process,” it said.

The incident has been reported to the police and other relevant authorities, including the Personal Data Protection Commission and the Cybersecurity Agency of Singapore.

Meanwhile, the retailer has advised affected members to look out for phishing or impersonation attempts.

“For members who have re-used their OG membership password across different websites or platforms, we recommend that you change your passwords immediately to avoid any possible compromise of your other accounts. You may also wish to enable additional security measures, such as multi-factor authentication if supported.”

Jeffrey Kok, vice-president of solutions engineers at CyberArk Asia-Pacific and Japan, said cyber criminals typically procure and sell personal data records to other criminals who leverage them for phishing attacks, scams, social engineering and other campaigns. In addition, ransom amounts have increased, making it even more compelling for attackers to gain possession of such confidential information.

“The current landscape has brought about opportunities for attackers to leverage, and retailers and other businesses need to proactively ensure they secure powerful privilege accounts and keep sensitive customer data safe,” he said.

“This is because attackers who gain access to privileged accounts can potentially elevate privileges and move laterally throughout the network to accomplish their goals that could be as serious as executing a complete network takeover,” he added.

Kok called for organisations to consider adopting Singpass, Singapore’s national digital identity and authentication system, so that users can sign in with their Singpass credentials rather than having to manage a separate set of usernames and passwords for other sites.

“In addition, businesses working with third-party vendors could consider independent audits, red team and penetration testing to ascertain that the third-party vendors have the expected rigour, due diligence, security controls and governance,” he added.