685,000 HardwareZone accounts' data compromised

Hacker impersonated senior moderator on online forum to access user profiles; police report made

The user profile data of 685,000 registered HardwareZone (HWZ) users was retrieved by a hacker who accessed information like users' full names, usernames and e-mail addresses through one account.

HWZ found out about the breach on Sunday after the discovery of a "suspicious posting" on the site's popular forum. HWZ, which is owned by SPH Magazines, is also known for its technology news and product reviews.

An investigation was immediately launched and it was ascertained that the breach had taken place since September last year when the unidentified perpetrator hacked the account and used compromised credentials to impersonate a senior moderator on the forum.

SPH Magazines said it has made a police report and also informed the Personal Data Protection Commission (PDPC). In a release yesterday, SPH Magazines said the database does not contain NRIC numbers, telephone numbers and addresses as these were purged in July 2015, in line with PDPC guidelines.

As a matter of precaution, forum users were advised to change their forum account passwords. SPH Magazines has also engaged security consultants to conduct a review of the system. The statement added: "SPH Magazines and HWZ sincerely apologise to HWZ users for this breach of security. We remain committed to protecting all personal data shared with us."

In 2016, ride-sharing company Uber fell victim to hackers who preyed on the personal information of 380,000 people in Singapore, including names, e-mail addresses and mobile phone numbers.

In September 2014, the names, contact numbers and residential addresses of 317,000 customers were leaked by karaoke chain K Box Entertainment Group.

K Box was fined $50,000 by the PDPC in 2016 for the breach. In total, four organisations were fined and seven others were issued warnings or directions for failing to protect the personal data of consumers. It was the first time the PDPC has taken action against rule breakers since the Personal Data Protection Act took full effect in July 2014.

The heaviest fine of $50,000 was levied on K Box. Under the Act, organisations that fail to protect consumers' personal data can be fined up to $1 million per breach.

Melody Zaccheus

A version of this article appeared in the print edition of The Straits Times on February 21, 2018, with the headline '685,000 HardwareZone accounts' data compromised'. Print Edition | Subscribe