M1 website flaw led to one unauthorised access, telco explains

Telco M1 said a design flaw on its website that takes pre-orders for the new Apple iPhone 6 and 6 Plus resulted in one unauthorised access to customers' personal data. -- PHOTO: M1
Telco M1 said a design flaw on its website that takes pre-orders for the new Apple iPhone 6 and 6 Plus resulted in one unauthorised access to customers' personal data. -- PHOTO: M1

SINGAPORE - Telco M1 said a design flaw on its website that takes pre-orders for the new Apple iPhone 6 and 6 Plus resulted in one unauthorised access to customers' personal data.

The website was restored on Tuesday after 12 hours of suspension due to the flaw that allows a visitor to the website to access customers' personal information simply by changing data stored in a "cookie" on his browser.

"A security patch was immediately developed and deployed which rectified the flaw," said M1 in a statement on Wednesday night.

"Our investigation to date has detected one case of unauthorised access to some personal information of 12 customers, such as their names and addresses," it added.

"Credit card and bank account details were not accessible. We sincerely apologise to our affected customers and are in the process of contacting them."

Customers were informed of the security loophole at 7.30pm on Monday via the telco's Facebook notice. Its website was suspended temporarily to protect customers' personal information, it said.

The Personal Data Protection Commission is investigating the M1 security loophole.

A customer alerted M1 to the potential security loophole via a post on M1's Facebook wall on Sunday at around 9pm. He was reportedly able to access information such as phone numbers, identity card numbers and home addresses from online pre-order forms.

The customer was the only one who accessed the data.