The recent data breach that hit online cashback platform ShopBack is now being investigated by the Department of Personal Data Protection (JPDP), though it is still seeking feedback on the number of Malaysians that have been affected. This includes looking whether any personal data has been compromised by the breach.
In statement issued by the JPDP, it said that ShopBack had discovered on 17 September, an incident that involved unauthorised access to its systems that contained its customer’s personal information such as their names, contact information, date of birth and bank account numbers.
ShopBack, which offers cashback rewards for online shopping, said that its services and business operations have not been affected by the recent incident. As a precautionary measure, the company advised its users to change their passwords and report of any suspicious emails to the relevant authorities and to stay vigilant.
The JPDP said a representative appointed by ShopBack informed them about the situation on 25 September. Following the incident, ShopBack said it had begun contacting its customers via email. The company also set up a website with a questions and answers (Q&A) section to provide clarification as well as state the measures that have been taken following the discovery of the breach.
Aside from that, the government agency said it was informed by ShopBack of its mitigation plan to prevent the data breach from escalating further. ShopBack assured that its plans would be able to fully contain the breach.
The JPDP said it viewed the breach as a serious matter. “The department will also work closely with relevant authorities to measure the severity of the personal data breach in line with the Personal Data Protection Act 2010 (Act 709),” it said.
Emails sent to customers on 25 September by ShopBack assured them that the online cashback platform was confirming which data was compromised. So far, it has no reason to believe that any personal data has been misused, though it admitted that the possibility still exists.
“What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account is protected by encryption,” ShopBack said, adding that it had “immediately removed” the unauthorised access after being made aware of the issue.
“While bank account numbers do not permit third parties direct access to your bank accounts, users who have provided us with their bank account numbers should be watchful for potential phishing attacks,” it advised.
ShopBack released a statement to Star Lifestyle Tech that it investigation are still ongoing and that customers are still able to continue to access their accounts.
Allianz Risk Barometer 2020 indicates that data breaches are the most serious business risk globally. Now these incidents are becoming more damaging as large companies are being targeted with sophisticated attacks and hefty extortion demands.