Ikea Singapore apologises after more than 400 e-mail IDs revealed to customers

Ikea accidentally inserted 410 individual e-mail addresses into the wrong field in a promotion mailer, allowing other recipients to see the addresses. ST PHOTO: KELVIN CHNG

SINGAPORE - Swedish retailer Ikea apologised to affected customers in Singapore on Sunday (Aug 4) after the company inserted 410 individual e-mail addresses in the wrong message field of a promotional mailer and sent it out.

A spokesman for Ikea Singapore said the error occurred at 4.57pm last Thursday and that the company "regretfully made an error of inserting 410 individual e-mail addresses in the 'To' field in an Ikea Service Delivery Promotion e-mail sent to our customers", therefore making all the e-mail addresses visible to all recipients of the mailer.

However, an e-mail it then sent to quickly notify affected customers about the leak and to apologise included an internal draft of the apology instead. This second e-mail was sent to half the recipients.

"In our haste to notify the customers as quickly as possible, we again made a mistake by sending half the recipients an internal draft of the apology notice instead, an oversight that we are embarrassed about," Ikea said.

Ikea said that it takes customers' personal data integrity seriously and had notified the Personal Data Protection Commission of Singapore (PDPC) when the error was discovered.

Under the Personal Data Protection Act, organisations must generally have an individual's knowledge and consent when collecting, using or disclosing their personal data.

Apologising for causing customers "unease and inconvenience", Ikea said: "Confidence and trust in our company including our data protection policies is important to us and we will look at and implement effective ways to prevent this from happening again, through reviews of procedures, technology and training."

Last month, international beauty retailer Sephora issued a notice to its online customers after it discovered a data breach which affected customers in Singapore, Malaysia, Indonesia, Thailand, Philippines, New Zealand and Australia.

The breach exposed customers' personal information including first and last names, date of birth, gender, e-mail addresses and encrypted passwords to unauthorised third parties.

Electricity retailer Geneco was probed by the PDPC last month after it exposed the personal e-mails of more than 350 of its potential customers.

The company e-mailed some of its potential customers to ask for a copy of their Singapore Power bill to verify their account with Geneco.

Similar to Ikea Singapore's incident, Geneco's mail copied the e-mail addresses in the "To" field so the contacts were visible to all recipients.

Join ST's Telegram channel and get the latest breaking news delivered to you.