Loyalty marketing agency fined S$10,000 over data leak of Starbucks Singapore customers

SINGAPORE: The developer of an e-commerce platform owned by Starbucks Singapore has been fined S$10,000 over a data breach that affected more than 300,000 members of the popular coffee chain’s rewards membership programme.

The developer, Ascentis, cooperated with investigations and took prompt remedial actions to address the breach, said the Personal Data Protection Commission (PDPC) in its judgment released on Nov 10.

Meanwhile, Starbucks Singapore gave a voluntary undertaking to implement enhanced security arrangements in order to better comply with Singapore’s personal data laws. No further enforcement action was taken against it.

Ascentis’ website states that it was “voted by senior industry marketers” as “one of Singapore’s award-winning loyalty marketing (agencies)”.

The breach first came to light in September last year after the personal data of 332,774 Starbucks Singapore customers was put up for sale on a dark web forum.

This comprised contact and account membership information such as names, physical addresses, email addresses, telephone numbers and birth dates.

The data, collected from those who signed up for the My Starbucks Rewards loyalty programme, was stored on a cloud database.

PROJECT TEAM USED SHARED GOOGLE SHEET

Starbucks Singapore first hired Ascentis to support its loyalty programme in 2014.

In 2020, Starbucks Singapore engaged Ascentis to separately develop and provide, as well as render ongoing technical support for, its e-commerce platform. Customers would be able to buy Starbucks products through the platform.

Ascentis then engaged an overseas vendor – Kyanon Digital, a Vietnam-based company – to provide additional manpower and software development support.

Despite Kyanon’s involvement, Ascentis maintained control and management over the project. Kyanon employees were given accounts to the e-commerce platform with full administrative privileges, which also granted them rights to export data from the platform.

At the time, these admin accounts did not require multi-factor authentication.

In May 2022, a Kyanon employee – named Peter in the judgment – left the company and handed over his account credentials to the remaining members of the project team via a shared Google Sheet.

His admin account was not disabled. Kyanon employees merely changed the password, updated the Google Sheet with the new password, and continued using the account.

Sometime between Sep 10 and 13, 2022, a malicious actor used this account to gain access to the e-commerce platform.

Starbucks Singapore was not able to figure out how the malicious actor did this, but it was possibly through the shared Google Sheet, said the PDPC.

The malicious actor granted other accounts administrative privileges, gathered data, and exported this data to an external email address.

The personal data of 332,774 individuals stored in the e-commerce platform – comprising names, email addresses, birth dates, membership details relating to the loyalty programme, and their last login dates to the platform – were exfiltrated.

This was on top of the physical addresses of 181,875 customers and the telephone numbers of 310,560 customers.

The data was subsequently advertised for sale on an online forum on the dark web.

The Singapore Computer Emergency Response Team (SingCERT) notified the PDPC of the incident on Sep 13, 2022. Starbucks Singapore and Ascentis respectively submitted data breach notifications to the PDPC on Sep 15 and 16 that same year.

In its judgment, the PDPC found that Ascentis failed to disable Peter’s admin account after he left Kyanon and the Starbucks Singapore project. By Ascentis’ own admission, it was responsible for creating and managing admin accounts.

This was made worse by the account not being protected with a sufficiently complex password, said the PDPC.

Ascentis had told the PDPC that the new password met the platform’s password complexity requirements – at least eight characters in length, one upper and one lower case letter, one special character, and not be a repeat of the account’s previous five passwords.

The PDPC reiterated its stance that “mere technical compliance” with password complexity requirements “is not good enough if the password remains guessable”.

In this case, the new password incorporated “Kyanon” and a sequential series of digits.

The PDPC added: “While the immediate cause for the weak new password and insecure sharing of the credentials for Peter’s admin account may have been the Kyanon employees, (Ascentis) could have managed this better by specifying clearer data protection requirements to Kyanon as part of its involvement in the project, including in relation to account management.”

MULTI-FACTOR AUTHENTICATION

The PDPC also gave observations on two other data protection practices that could have prevented the data breach, even if Peter’s admin account was not disabled.

One practice was only assigning rights for an admin account to the necessary employees, and implementing multi-factor authentication for such accounts.

The PDPC said it recognised the business difficulties faced by Ascentis, which had explained that it delayed plans to implement multi-factor authentication due to manpower shortages caused by the COVID-19 pandemic.

However, it added that the implementation could have been given greater priority, considering the volume of personal data stored on the e-commerce platform.

In determining the financial penalty, the PDPC recognised that Ascentis cooperated with investigations, took prompt remedial actions, did not previously breach the Personal Data Protection Act, and voluntarily accepted responsibility for the incident.

The PDPC also said it was satisfied the data breach could not be directly attributed to Starbucks Singapore, since internal lapses by Ascentis had caused the breach.

However, the commission added that Starbucks Singapore “could further improve on the contractual stipulation and handling of its data intermediaries”.

The PDPC has determined that Starbucks Singapore complied with the terms of its voluntary undertaking, it said.

The undertaking involved a remediation plan, including requesting its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database.

DOES NOT STORE CREDIT CARD INFO

When the breach came to light, Starbucks Singapore said in an email sent to customers that it does not store credit card information as per its security data practices.

It also said it implemented additional measures to protect customer information, adding that all stored value, rewards and credits in users’ Starbucks Rewards membership remained intact.

CNA has sought further comments from Starbucks Singapore following the judgment.

In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.

Source: https://www.channelnewsasia.com/singapore/starbucks-singapore-330000-customers-data-leak-ascentis-fined-3925281