ShopBack fined SG$74,400 after personal data leak affecting millions of customers

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Online cashback portal ShopBack has been fined SG$74,400 by Singapore Personal Data Protection Commission (PDPC) over a data breach that affected millions of its customers, according to the PDPC in a written judgement.

ShopBack first reported an incident involving unauthorised access to its customer data servers on 25 September, 2020. It also informed its customers in tandem. PDPC subsequently received two complaints from the organisation’s customers in relation to the incident.

Don't miss: ShopBack raises US$80m, eyes new markets and shopping solutions

PDPC then began an investigation to determine ShopBack’s compliance with the Personal Data Protection Act 2012. It found that at the time of the incident, ShopBack hosted its customer database on virtual servers in an Amazon Web Services (AWS) cloud environment.

The organisation employed a 12-man Site Reliability Engineering (SRE) team whose responsibilities included maintaining ShopBack's infrastructure, providing, and managing the organisation’s cloud environment on AWS, and ensuring the security of the AWS keys.

"On 4 June 2019, the AWS Key was inadvertently committed to software code in a private repository in GitHub, by a senior member of the SRE team. This was discovered by another SRE team member on 6 June 2019, and the AWS Key was removed from GitHub on the same day," said PDPC.

However, it remained viewable in GitHub’s ‘commit history’, which records all changes and previous versions of code uploaded on GitHub, a loud-based service that helps developers collaborate, store and manage their code.

On 21 June 2019, the AWS Key was to meant to be deleted and replaced by a new key as part of an out-of-cycle key rotation. The member of the SRE team in charge of the key rotation informed the SRE team that he had created a new key to replace the AWS Key, and that he would be deleting the AWS Key. However, after creating the replacement key, he failed to fully disable and remove the AWS Key, according to PDPC.

As a result, the AWS Key continued to be usable to access ShopBack’s AWS environment until shortly after the time of the incident, about 15 months later.

On 9 September 2020, a malicious threat actor accessed the organisation’s AWS environment and utilised the AWS Key. The AWS Key was likely found by the threat actor in the commit history of the GitHub private repository.

Once in, the threat actor was able to identify ShopBack's data repositories and modified security settings including to allow remote internet access to the organisation’s database instances. The actor was also able to generate a fresh database instance to stage its data exfiltration.

They then extracted data from ShopBack's cusotmer storage servers. data affected included email addresses, names, mobile numbers, bank account number and partial credit card information.

On 17 September 2020, ShopBack identified the breach during a routine security review. ShopBack then brought in a private forensic expert to investigate further. The forensic expert confirmed that the unauthorised access had been carried out using the AWS Key.

ShopBack immediately worked to fix the matter and performed a full deletion of the AWS Key and rotated the other AWS keys. It also reversed all changes made by the threat actor and triggered a forced logout and password reset of all customers’ account, according to PDPC.

It also began increasing the monitoring of logs to ensure that unauthorised access was detected quicker and separated development and production accounts, resulting in a smaller subset of engineers having access to the production environment. It also secured access to systems and data and created a platform for employee security suggestions.

On 12 November 2020 however, the organisation’s database was offered for sale on Raidforums, an online cybersecurity forum commonly used for trading and selling of stolen databases.

The findings

Based on what it found, PDPC determined that ShopBack did no ensure that processes to manage the AWS keys that granted access to the customer storage servers were sufficiently robust.

"While the organisation admitted that it could have done more to ensure that its employees were performing their AWS key rotation duties properly, the organisation claimed that the compromise of the AWS Key arose from human error, and not because of any systemic issue with the organisation’s security practices," wrote PDPC.

According to ShopBack, there was also no reason to doubt the capabilities of the SRE team member in question, because he was a senior member of the SRE team, his responsibilities included key security and rotation, and he had dutifully rotated and deleted all other keys assigned to him in the out-of-cycle key rotation.

The organisation accordingly sought to frame the incident as a one-off case of human error, it said. However, PDPC did not accept this position and stated that organisation could not place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data.

"There must be some processes to ensure that the step required from the employee is taken, such as independent verification by another checker," it said. "When a high-risk task is concerned, it is all the more important that there must be additional verifications and checks," it added.

PDPC added that secondly, there was a failure to conduct periodic security reviews by the company.

"Specific security reviews by the organisation on AWS keys could have covered and detected whether the AWS Key remained active or had been used after the out-of-cycle key rotation, and during the 15 months preceding the incident. The organisation failed to conduct regular security review on whether the AWS keys had been properly rotated/deleted," it said.

Additionally, PDPC said that there was a lack of periodic security reviews which could have helped to find out if the AWS keys had been properly rotated or deleted.

Following discovery of the inadvertent committal of the AWS Key to GitHub, the organisation took 15 days to conduct a key rotation, it said. Regardless of whether this had been an out-of-cycle rotation, the organisation should review its incident management processes to determine whether it was reasonable to have taken 15 days to remediate compromise of a full administrative privilege AWS access key.

Considering this, PDPC has required ShopBack to pay a financial penalty of $74,400. It added that no further directions are necessary on account of the remedial measures already taken by the organisation.

The biggest conference is back! Experience the future of marketing with 500+ brilliant minds at Digital Marketing Asia on 28 - 30 November in Singapore. Uncover groundbreaking strategies that connect leading brands with their target audiences effectively.

share on