SG fashion brand fined S$24,000 over 2019 data breach involving over 5,500 customers


The data breach involved an administrator account of a software used by the brand to manage its ecommerce website. — AFP Relaxnews

SINGAPORE: Home-grown fashion label Love, Bonito has been fined S$24,000 (RM76,897) over a 2019 data breach which saw personal information of more than 5,500 customers compromised.

It had failed to put in place reasonable security arrangements to protect the personal data, which included customers’ first and last names, phone numbers and credit card details, said the Personal Data Protection Commission (PDPC) in its written decision published last Thursday (May 19).

The data breach involved an administrator account of a software used by Love, Bonito to manage its ecommerce website, which was utilised by an unknown third party to access and obtain customers’ personal data.

The account was also likely used to add an unauthorised programming code to the website, according to investigations by the firm, its digital solutions providers and a private forensic investigator.

The code would run whenever customers accessed the “check-out” page on the website to pay for their orders, causing their credit card data to be transferred to the third party instead of the payment platform used by Love, Bonito.

In late November 2019, the company noticed a significant drop in credit card authorisations for payments via the platform and discovered that the “check-out” page had been incorrectly configured.

It implemented a fix to allow the processing of credit card payments to resume through the platform.

However, the same issue recurred in early December 2019 and the firm disabled the credit card payment function on the “check-out” page.

Subsequent investigations uncovered the code and the unauthorised use of the administrator account by the unknown third party.

A previous report by The Straits Times said Love, Bonito had informed its online customers via email on Dec 13, 2019.

A company spokesman had told ST at the time that a “small number” of its customers were affected. It is not known how many registered online customers the firm has.

The PDPC said in its written decision that Love, Bonito’s password policy – for the website management software accounts – was inadequate.

The firm had adopted the software’s default security settings, such as having a required password length and an account lockout after a number of failed login attempts.

But more robust and stringent measures were required, said the PDPC, which noted that Love, Bonito did not mandate periodic changes of passwords.

The software’s default security settings also did not require the company’s employees to refrain from using passwords that can be easily guessed.

The PDPC said that the password of the administrator account – “ilovebonito88” – incorporated the firm’s name, which made it easy to guess and vulnerable to brute-force attacks, a common method of guessing passwords by systematically trying every possible combination of letters, numbers and symbols.

It also noted other significant weaknesses in the company’s IT systems which could have been exploited by malicious third parties to gain access to the website’s management software.

These included the lack of security monitoring for the Love, Bonito’s network as well as its systems not being maintained or patched.

The maximum fine a company can face for a data breach is S$1mil (RM3.20mil). – The Straits Times (Singapore)/Asia News Network

Article type: free
User access status:
Join our Telegram channel to get our Evening Alerts and breaking news highlights
   

Next In Tech News

Vodafone, Google look to extend Wear OS smartwatch battery life
Apple eyes fuel purchases from dashboard as it revs up car software
Basel revises bank crypto capital plan to include blockchain
EU extends roaming regulations for telecom providers until 2032
It's alive! How belief in AI sentience is becoming a problem
US needs to do more to protect companies against state-sponsored cyberattacks, experts say
Carousell rides sustainability trend in Hong Kong, aims to make buying and selling of second-hand items ‘as frictionless as possible’
Fewer billionaires in mainland China as ultra-wealthy feel pain of Beijing’s tech, property crackdowns, study says
France's Thales creates cloud services company powered by Google
Chinese team implants brain sensor without cracking skull

Others Also Read