SINGAPORE: French cosmetics company Clarins has been hit by a data security incident which "may involve" Singapore customers’ personal information, it said on Tuesday (Jan 11).

The company said in a statement on its website that the incident was due to a critical vulnerability in a widely used software known as Log4j.

Log4j, which is an open-source software used to support activity-logging in many Java-based applications, was used to manage Clarins’ database containing personal data of its Singapore customers. Clarins became aware of the security breach when a staff member could not access its database.

“Unfortunately, while this vulnerability affecting our database was promptly patched within hours of release of the security patch, it appears that the server has been compromised after the vulnerability was publicly exposed,” it said.

The data accessed may have included customers’ personal information such as name, address, email, phone number and Clarins loyalty programme status, it added.

Based on its "investigations to-date", the data did not include any password, credit card or payment information as the server accessed “did not include such information”, said Clarins.