Cosmetics company Clarins hit by data security incident, 'may involve' Singapore customers’ personal information

SINGAPORE — French cosmetics company Clarins has been hit by a data security incident which "may involve" Singapore customers’ personal information, it said on Tuesday (Jan 11).

The company said in a statement on its website that the incident was due to a critical vulnerability in a widely used software known as Log4j.

Log4j, which is an open-source software used to support activity-logging in many Java-based applications, was used to manage Clarins’ database containing personal data of its Singapore customers. Clarins became aware of the security breach when a staff member could not access its database.

“Unfortunately, while this vulnerability affecting our database was promptly patched within hours of release of the security patch, it appears that the server has been compromised after the vulnerability was publicly exposed,” it said.

The data accessed may have included customers’ personal information such as name, address, email, phone number and Clarins loyalty programme status, it added.

Based on its "investigations to-date", the data did not include any password, credit card or payment information as the server accessed “did not include such information”, said Clarins.

Minister for Communications and Information Josephine Teo said last month that Singapore authorities are checking and patching government systems "thoroughly" to guard against the Log4j vulnerability.

In its statement, Clarins said it deeply regrets the incident, adding that it has “promptly” implemented security patches to prevent a recurrence of such an attack.

The company added that it is “working closely” with law and security experts to ensure that the incident is properly addressed and it has also notified the security breach to the Singapore Personal Data Protection Commission (PDPC).

Clarins also advised customers to change their password and to treat all unsolicited calls, emails and SMS with caution — particularly those involving payment details or password.

CNA has contacted Clarins, PDPC and the Cyber Security Agency for more information. CNA

For more stories like this, visit cna.asia.