4,749 KrisShop customers' personal data 'may have been exposed' after phishing attack
A screengrab of the KrisShop website.
SINGAPORE: A total of 4,749 KrisShop customers' personal data "may have been exposed" after a phishing attack, the retailer said on Thursday (Mar 17).
The data potentially includes the names, email addresses, addresses, contact numbers, and e-voucher numbers belonging to these individuals, KrisShop said in response to CNA's queries.
Of the 4,749 customers, the bank account numbers of about 165 individuals, as well as the KrisFlyer account number of 17 people, may have also been exposed.
EMPLOYEE'S ACCOUNT ILLEGALLY ACCESSED
On Mar 8, KrisShop learnt that an employee’s work account was illegally accessed by an external party as a result of a phishing attack.
The affected account was locked as soon as KrisShop was alerted to the phishing attack, and investigations began.
"Based on our investigations, the data did not include any password or credit card information, as the files did not include such information," said the retailer.
The affected KrisShop e-vouchers have been cancelled and replaced.
After KrisShop reviewed its systems and processes together with Singapore Airlines, the retailer established that it was an "isolated incident that arose due to human error", and that none of its other databases or systems have been compromised.
"The protection of our customers’ personal data is of utmost importance to KrisShop. We will continue to take steps to strengthen our systems and processes," said the retailer, adding that it was unable to provide further details of the attacker's identity as investigations were underway.
The Personal Data Protection Commission (PDPC) was notified on Mar 10 after the information required for filing the report was verified internally.
"KrisShop would like to apologise to all affected customers for this incident, and the inconvenience that it has caused to them," said the spokesperson.
"We are in process of contacting affected customers, and will be offering any assistance that they may require."
A PDPC spokesperson confirmed that KrisShop has notified the commission, and said it is looking into the matter.
Customers with queries may contact KrisShopCustomerCare [at] krisshop.com.
A recent SMS phishing scam targeting bank customers resulted in hundreds of OCBC Bank customers losing a total of S$13.7 million.
In February, the police said they have observed at least 900 cases of phishing scams since January this year.
