PETALING JAYA: The Department of Personal Data Protection (JPDP) said it will seek feedback from ShopBack Cashback Sdn Bhd regarding the number of Malaysians that may have been affected following a recent personal data breach involving the company.

JPDP in a statement said ShopBack had discovered an incident involving unauthorised access to its systems containing customers’ personal information, such as names, contact information, dates of birth and bank account numbers, on Sept 17.

It was then notified of the situation by a representative appointed by ShopBack on Sept 25.

“The notification stated that ShopBack will begin the process of contacting its customers via email and set up a website with questions and answers (Q&A) to provide clarification, along with measures to be taken following the discovery of the breach,” JPDP said in the statement.

The government agency said it has also been informed about ShopBack’s migitation plan to prevent the breach from escalating further, and that it had been assured these plans would be able to fully contain the breach.

“The Department will also work closely with relevant authorities to measure the severity of the personal data breach in line with the Personal Data Protection Act 2010 (Act 709),” adding that the department viewed the breach as a serious matter.

In an email sent to customers on Sept 25, ShopBack said it was still confirming which data has been compromised, and it has “no reason” to believe that any personal data has been misused. However it admitted that “the possibility still exists”.

“What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account is protected by encryption,” it said, adding that it had “immediately removed” the unauthorised access after being made aware of the issue.

The company, which offers cashback rewards for online shopping, said that its services and business operations have not been affected by the incident. It advised users to change their passwords, report any suspicious emails to the relevant authorities and to stay vigilant.

“While bank account numbers do not permit third parties direct access to your bank accounts, users who have provided us with their bank account numbers should be watchful for potential phishing attacks,” it added.

In a statement to LifestyleTech, ShopBack said the investigation is still ongoing and that in the meantime customers can continue to access their account.