Local telco M1 has said that an investigation of the website security incident on 15 September has unveiled a data breach of 12 cases of unauthorised access to customers’ personal information. Information such as their names and addresses were affected but credit card and bank account details were not accessed.
(Read also: Karaoke chain K Box in hot water over data breach)
“We sincerely apologise to our affected customers and are in the process of contacting them. Our independent security specialist has commenced penetration testing, post-implementation of the security patch. This will be followed by penetration testing by another independent specialist. We will also implement additional layers of protection to mask website cookies,” said the telco.
It added that a security flaw existed in the design of an application programming interface in the customer authentication mechanism of its website.
“By changing data stored within a website ‘cookie’, this allowed possible access to another customer’s personal information. A security patch was immediately developed and deployed which rectified the flaw,” the telco added.
The flaw was spotted when M1 released to the public its prices for the latest Apple smartphones and opened the gates for pre-orders for the devices. However due to high traffic, customers faced difficulty in accessing the site.
On Tuesday, M1 resumed pre-orders for the iPhone 6 and iPhone 6 Plus.