Data breach of potentially 100,000 Razer customers worldwide discovered by cyber-security consultant

Customers' credit card numbers and passwords remained safe. PHOTO: RAZER/FACEBOOK

SINGAPORE - The personal and shipping information as well as order details of about 100,000 Razer customers around the world had been in danger of being exposed because a server was misconfigured, allowing the public to have access to the data.

But their credit card numbers and passwords were safe, Razer said in a statement last Friday (Sept 11).

The statement by the home-grown gaming hardware firm also said the problem was fixed two days earlier, last Wednesday.

When contacted on Tuesday, a spokesman for Singapore's Personal Data Protection Commission said it is aware of the incident and is looking into the matter. This agency comes under the Infocomm Media Development Authority.

The data breach was discovered by cyber-security consultant Volodymyr Diachenko, who wrote last Thursday on LinkedIn that he estimated the total number of affected customers to be around 100,000, based on the number of e-mail addresses exposed.

Razer has not confirmed the figure.

Mr Diachenko said the server was misconfigured for public access since Aug 18 and he immediately notified the company via their support channel. But his message was processed by non-technical support managers for more than three weeks until the data was secured from public access.

He said exposed information included full names, e-mails, phone numbers, customer internal IDs, order numbers, order details, as well as billing and shipping addresses.

In its statement to Mr Diachenko, Razer said the server misconfiguration potentially exposed order details, customer and shipping information.

"The server misconfiguration has been fixed on Sept 9, prior to the lapse being made public," it added.

Razer apologised for the lapse and said it had taken all necessary steps to fix it as well as do a thorough review of its IT security and systems.

"We remain committed to ensure the digital safety and security of all our customers," it added.

Mr Diachenko said customer records could have been used by criminals to launch targeted phishing attacks in which the scammer posed as Razer or a related company. Customers could also be at risk of fraud.

He urged Razer's customers to be on the lookout for phishing attempts sent to their phone or e-mail address.

Last Thursday, ride-hailing operator Grab was fined $10,000 for failing to secure its drivers' and passengers' personal details on its mobile app, the fourth time in two years that it has been found to have breached data protection laws.

A software update to its ride-hailing app on Aug 30 last year inadvertently exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.

Join ST's WhatsApp Channel and get the latest news and must-reads.