ShopBack faced a hefty fine of SG$74,400 by Singapore’s Personal Data Protection Commission (PDPC) after a massive data breach impacted millions of customers.
The trouble began on 25 September 2020. ShopBack reported unauthorized access to their customer data servers. They immediately notified their customers. Soon after, PDPC received two customer complaints linked to the breach.
The PDPC jumped into action, investigating ShopBack’s adherence to the Personal Data Protection Act 2012. They found that during the breach, ShopBack was storing its customer database on Amazon Web Services (AWS) virtual servers.
A 12-person Site Reliability Engineering (SRE) team was in charge of ShopBack’s AWS cloud environment. This team’s key duties? Maintain the infrastructure, manage the AWS cloud environment, and ensure the security of AWS keys.
However, a glitch occurred on 4 June 2019. A senior SRE team member mistakenly committed the AWS Key to a private GitHub repository. Two days later, another team member found the oversight and removed the key from GitHub. But, the key remained visible on GitHub’s commit history, a feature tracking code changes.
Fast forward to 21 June 2019. The AWS Key should’ve been deleted and replaced. An SRE team member claimed to have created a new key, intending to delete the old one. But, he didn’t.
The consequence? The old AWS Key remained accessible. In September 2020, a cyber attacker exploited this error. They accessed ShopBack’s AWS, likely finding the key in GitHub’s commit history. With this access, the attacker located ShopBack’s data repositories, modified security settings, and created a new database for data theft.
The attacker stole data: email addresses, names, phone numbers, bank details, and partial credit card info.
ShopBack discovered the breach on 17 September 2020 during a security check. A forensic expert was hired, who confirmed the breach source as the AWS Key. ShopBack quickly took action. They deleted the compromised AWS Key, rotated other keys, and enforced a password reset for all customers. They also enhanced their monitoring, segregated development from production accounts, and launched an employee security suggestion platform.
Still, the damage was done. By 12 November 2020, ShopBack’s database surfaced for sale on Raidforums.
PDPC’s conclusion? ShopBack failed in robust AWS key management. While ShopBack blamed human error and trusted the senior SRE team member, PDPC stressed the need for extra checks, especially for high-risk tasks.
The company also neglected periodic security reviews. Proper reviews might have flagged the still-active AWS Key. The PDPC criticized ShopBack for taking 15 days to rotate the key after the GitHub incident.
Given the findings, PDPC slapped ShopBack with a SG$74,400 fine, acknowledging the company’s remedial actions but emphasizing the importance of strict security measures.
This news is based on a report by Marketing Interactive.