Marketing agency fined S$10,000 after Starbucks S'pore customers' data leaked, put up for sale on dark web
The data breach was attributed to internal lapses on the side of the developer, Ascentis.Daniel Seow |
The personal data of 332,774 Starbucks Singapore customers was found to be compromised in September last year, when it was put up for sale on a dark web forum.
The affected customers were members of the coffee chain's My Starbucks Rewards loyalty programme, and their leaked data included membership information such as names, birth dates, mobile numbers and residential and email addresses.
Following the data breach, Ascentis, the developer of an e-commerce platform owned by Starbucks, has been fined S$10,000, CNA reported.
A judgement by the Personal Data Protection Commission released on Nov. 10 found that the data breach was due to internal lapses on the Ascentis side, and could not be attributed to Starbucks Singapore.
No further action was taken against the coffee chain.
Project team shared admin account details on Google sheet
Starbucks Singapore hired Ascentis to support its loyalty programme in 2014.
Ascentis specialises in marketing services for loyalty programmes, and has won industry awards consistently over the past decade.
In 2020, Ascentis was also tasked to develop and provide technical support for Starbucks Singapore's e-commerce platform. Customers can buy Starbucks products through this platform.
However, Ascentis engaged a Vietnam-based vendor, Kyanon Digital, to provide extra manpower and develop software for the platform.
Its employees were given accounts with administrative privileges, which also allowed them to export data from the platform. These admin accounts did not require multi-factor authentication.
In May 2022, a Kyanon employee, who was referred to as Peter in the judgement, left the company.
His admin account was not disabled. Instead, his account credentials were shared in a Google Sheet with the rest of the project members.
They proceeded to change the password for the account, and continued using it. The new password was stored in the same Google Sheet.
Person used account of ex-employee to access customers' data
Later, between Sep. 10-13, 2022, a malicious actor used Peter's account to gain access to the e-commerce platform.
While it was unclear how they did this, the judgment surmised that it was through the shared Google Sheet.
The person then granted other accounts administrative privileges and exported a large amount of personal data to an external email address.
Membership details of 332,774 individuals, as well as the physical addresses of 181,875 customers and 310,560 phone numbers -- all stored on the e-commerce platform -- were exported.
This data was later put up for sale on an online forum on the dark web.
The Singapore Computer Emergency Response Team (SingCERT) discovered the data leak and informed the PDPC of it on Sep 13, 2022.
Starbucks Singapore and Ascentis notified the PDPC of the data breach on Sep. 15 and Sep. 16 respectively.
Account did not have complex password, multi-factor authentication
In its judgement, PDPC held Ascentis responsible for failing to disable Peter's admin account.
To make matters worse, the account had not been protected by a sufficiently complex password.
The password incorporated "Kyanon" and a series of numbers in sequence.
While Ascentis argued that this technically complied with the platform's complexity requirements, PDPC responded that this "is not good enough if the password remains guessable".
The commission added that Ascentis could have specified clearer data protection requirements to Kyanon, especially in relation to account management.
The PDPC also pointed out two data protection practices which could have prevented the data breach -- restricting rights for an admin account to the necessary employee and implementing multi-factor authentication for such accounts.
It acknowledged that Ascentis' plans to put into place multi-factor authentication had been delayed by the pandemic, but stressed that this measure could have been prioritised, given the volume of personal data stored on the platform.
Breach due to internal lapses by Ascentis, not Starbucks S'pore: PDPC
In determining the penalty, the PDPC recognised that Ascentis had cooperated with investigations, taken remedial actions promptly, and accepted responsibility for the incident.
This is the first time Acscentis has been involved in a breach of personal data.
The judgment also said that the breach was due to internal lapses by Ascentis, and could not be directly attributed to Starbucks Singapore.
Nevertheless, the commission added that the coffee chain could improve in how it draws up contracts for and manages its data intermediaries.
PDPC also noted that Starbucks Singapore had since put in place a remediation plan, including requesting vendors to implement two-factor authentication, and restricting the IP addresses that have administrative access to the customer database.
No credit card details stored on database: Starbucks S'pore
In a previous email sent out to its members following the breach, Starbucks Singapore clarified that it did not store credit card information on its customer database.
The email also mentioned that all stored value, rewards and credits were intact.
Following the Nov. 10 judgment, Mothership has reached out to Starbucks Singapore for comment.
