Singapore, March 17
Personal information of 4,749 customers of the Singapore Airlines’ in-flight retailer KrisShop was exposed to an unknown party after a recent phishing attack, a media report said on Thursday.
The personal data exposed included names, e-mail addresses, residential addresses, contact numbers and KrisShop e-voucher numbers, The Straits Times reported.
The bank account numbers of about 165 customers, as well as the KrisFlyer account numbers of 17 people, were also exposed.
“Based on our investigations, the data did not include any password or credit card information, as the files did not include such information,” the report quoted a KrisShop spokesman as saying.
On March 8, KrisShop discovered that one of its employees’ work account was illegally accessed by an external party in a phishing attack.
The spokesman did not give details of the attack and the identity of the external party.
“The affected account was locked as soon as we were alerted to the phishing attack and investigations began immediately.
“Upon further investigations, we found that files containing data involving 4,749 individuals may have been exposed due to this incident,” the official said.
The Personal Data Protection Commission was notified on March 10, after the information required for KrisShop to make a report was verified internally by the company.
Apologising to affected customers for the incident, KrisShop said it is in the process of contacting them and will be offering any assistance they may require.
The affected KrisShop e-vouchers have also been cancelled and replaced.
The company has reviewed its systems and processes together with Singapore Airlines, and concluded that the breach was an isolated incident that came about due to a human error.
None of its other databases or systems had been compromised.
“The protection of our customers’ personal data is of utmost importance to KrisShop. We will continue to take steps to strengthen our systems and processes,” the spokesman said.
Phishing attacks have made the news in Singapore recently.
They include the recent SMS phishing scams targeting OCBC Bank customers in December last year and January this year, which saw 790 people lose 13.7 million Singapore dollars (USD 1.01 million) in total.
OCBC is one of the largest local banks here.
At least 72 people have lost over 1,09,000 dollars (USD 80,384) to a phishing scam on online marketplace Carousell, the police had said in a statement on March 3.
Pretending to be buyers, the fraudsters would tell the victim sellers that they would be paying them via CarouPay, an in-app payment feature.
The victims would then receive an e-mail purportedly sent from Carousell, stating that the payment was made but they needed to access a link in the e-mail to receive it.
The link would redirect them to fraudulent websites masquerading as bank websites, where they would be asked to give their banking details and one-time password in order to receive payment.
“Victims would realise that they had been scammed only when they discovered unauthorised transactions made to their bank accounts,” the police had added.