In cafes and hotels, personal data gets exposed in recent breaches

Despite an increase in data protection awareness in the region, there have been a spate of data breaches in Singapore and across the Asia-Pacific recently.

While some of this data was encrypted, the risk remains that a significant scale of personal data, of varying sensitivity, was exposed. The following high-profile breaches took place just before amendments to Singapore’s Personal Data Protection Act (PDPA) were implemented on 1 October 2022.

Starbucks customer info put up for sale

On 10 September 2022, the personal data of 330,000 Singaporean customers of the global coffee chain Starbucks were put up for sale on an online forum.

Affected customers received an email from Starbucks six days later, on 16 September, notifying them of the breach that had compromised personal information, reportedly including their names, gender, date of birth, mobile numbers, and residential and email addresses.

The company advised customers to reset their membership account passwords immediately.

A spokesperson said that they were made aware of the breach only on 13 September, and customers affected were those who had previously made purchases via Starbucks’ app or online store.

According to Starbucks, customers’ credit card data had not been compromised as Starbucks does not store such data as per their security data practice.

The Personal Data Protection Commission (PDPC) has been notified of the breach and is currently investigating. One copy of the database has already been sold, with a list price of $3,500, and four more copies were listed for sale.

Be ready to minimise the impact of a data breach: Schedule a no-obligation, 20-minute strategy call to assess your organisation’s privacy readiness. You can also inquire at sales@straitsinteractive.com.

Shangri-La guest data exfiltrated

Meanwhile, affected guests of luxury hotel chain Shangri-La Group were notified via a 30 September email that the chain’s databases had been breached and that certain files had been stolen. Out of the eight properties affected, two were located in Singapore – Shangri-La apartments and Shangri-La Singapore. Properties in Hong Kong, Japan, Taiwan and Thailand were also affected.

The full extent of the breach is not yet known, although the Office of the Privacy Commissioner of Personal Data in Hong Kong noted that the breach affected some 290,000 customers of the three Shangri-La properties in the territory.

According to Bryan Yu, the group's senior vice-president for operations and process transformation, a sophisticated threat actor managed to bypass Shangri-La's IT security monitoring systems undetected and illegally accessed the guest databases.

Yu further added that although they were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data, including names, email addresses, phone numbers, postal addresses, membership numbers, reservation dates and company names.

He added that the more sensitive information in the databases, such as passport numbers, ID numbers, dates of birth or credit card numbers, was encrypted.

An investigation conducted by Shangri-La Group revealed that the breach took place sometime between May and July 2022. This period coincided with the return of the Shangri-La Dialogue, Asia's top security summit, to Singapore after a two-year hiatus.

A Group spokesperson said that there is no evidence to suggest any specific hotel or event was singled out. A spokesperson for the event organiser, the International Institute for Strategic Studies, further clarified that data related to the Dialogue was stored on a separate secure server and hence not affected by this incident.

The Cyber Security Agency of Singapore is aware of the incident, and urges organisations to proactively monitor and check their IT networks regularly for signs of suspicious activity.

Sign up for a free Data Protection Excellence (DPEX) Network membership and be part of a professional community with access to fellow DPOs and data protection practitioners, industry experts, exclusive webinars, research, news, articles and videos.