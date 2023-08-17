SINGAPORE — Homegrown online cashback portal ShopBack has been fined S$74,400 by Singapore’s data privacy watchdog over a data leak that affected more than a million of its customers.

The company’s customer database was put up for sale on an online forum in 2020, said the Personal Data Protection Commission (PDPC) in a written judgment released on Wednesday (Aug 16).

This personal data included email addresses, names, mobile numbers, bank account numbers and partial credit card information.

Hackers had entered ShopBack's servers and extracted the data using an access key with full administrative privileges, which remained in a private repository on the GitHub platform for 15 months.

ShopBack, also known by its legal name Ecommerce Enablers Pte Ltd, offers cashback for purchases made through affiliated merchant programmes. It also provides coupons and voucher codes for customers.

WHAT HAPPENED

ShopBack first notified the PDPC and its customers of an incident involving unauthorised access to its customer data servers on Sept 25, 2020. PDPC then received two complaints from customers.

On Nov 12 that year, ShopBack’s customer database was subsequently offered for sale on Raidforums, an online cybersecurity forum commonly used to trade and sell stolen databases. Its domain name and content have since been seized by US authorities.

At the time of the breach, ShopBack hosted the database on virtual servers in an Amazon Web Services (AWS) cloud environment.

It employed a 12-person site reliability engineering team, which used an AWS access key with full administrative privileges for work purposes.

On June 4, 2019, the key was inadvertently committed to software code in a private repository on GitHub by a senior member of the team.

While another team member discovered what happened two days later and the key was removed from GitHub, it remained viewable in GitHub’s "commit history", which records all changes and previous versions of code uploaded there.

GitHub is a platform and cloud-based service that allows developers to store and manage their code, as well as collaborate on projects.

Later that same month, another team member failed to fully disable and remove the key after creating a replacement one.

Because of that, the key could be used to access ShopBack’s customer storage servers until about 15 months later.