L’Oreal Singapore let off with a warning for personal data breach

L’Oreal Singapore had compromised customers’ profile information, due to failure of security arrangements on its eCommerce website. According to the Personal Data Protection Commission (PDPC), details such as names, email addresses, postal addresses, mobile number and date of birth of seven individuals were exposed.

In a case filing document seen by Marketing, PDPC said L’Oreal operated a website which had a login portal that enabled its customers to view their profile information, redeem vouchers and make enquiries about customer points. The beauty company engaged a vendor to make coding changes to the website in November 2018, but failed to run checks on its login and caching functions after the code changes were introduced.

As a result, customers who logged into the dedicated customer login page will have his or her personal data cached, and disclosed to other customers who subsequently logged in to the same page until the cache was refreshed. Similarly, the personal data of the second customer who logged in after the cache refresh, would be cached, leading to disclosure of his or her details revealed to the third customer who logs in next.

According to PDPC, L’Oreal had engaged a consultant to assist in its investigations into the matter and to provide recommendations to prevent similar incidents in the future. The commission said that L’Oreal had completed all necessary and appropriate tests based on the foreseeable impact of the requested changes to its website, but failed to include the foreseeable scenario of multiple users logging in sequentially. However, the commission will not slap a fine to L’Oreal and will give a warning to the company.

Recently, there has been a number of data breaches in Singapore. In December 2019, Love, Bonito confirmed that its eCommerce website was breached and about 3% of its customers may have possibly had their personal information exposed. In a statement to Marketing then, a Love, Bonito spokesperson said the breach affected local and international customers.

Months earlier, Sephora confirmed a data breach, compromising personal information of some customers who have used its online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia and New Zealand. In an email to consumers seen by Marketing, Alia Gogi, managing director SEA, Sephora said the breach occurred over the last two weeks but did not clarify the exact number of those affected.