Personal, shipping information of 100,000 Razer customers leaked

The personal and shipping information, as well as order details, of about 100,000 Razer customers around the world had been leaked because a server was misconfigured, allowing the public to have access to the data.

However, the customers' credit card numbers and passwords were safe despite the data breach, Razer said in a statement last Friday.

The home-grown gaming hardware firm added that the problem had been fixed last Wednesday.

When contacted by The Straits Times yesterday, a spokesman for Singapore's Personal Data Protection Commission said it is aware of the incident and is looking into the matter. The agency comes under the Infocomm Media Development Authority.

The data breach was discovered by cyber-security consultant Volodymyr Diachenko, who wrote last Thursday on LinkedIn that he estimated the total number of affected customers to be around 100,000, based on the number of e-mail addresses exposed. Razer has not confirmed the figure.

Mr Diachenko said the server had been misconfigured for public access since Aug 18, and he immediately notified the company via their support channel. But his message was processed by non-technical support managers for more than three weeks before the data was secured from public access.

He said exposed information included full names, e-mails, phone numbers, customer internal IDs, order numbers and order details, as well as billing and shipping addresses.

In its statement to Mr Diachenko, Razer said the server misconfiguration potentially exposed order details, customer and shipping information. "The server misconfiguration has been fixed on Sept 9, prior to the lapse being made public."

Razer apologised for the breach and said it had taken all necessary steps to fix the problem as well as conduct a thorough review of its IT security and systems.

"We remain committed to ensure the digital safety and security of all our customers," it added.

Mr Diachenko said customer records could have been used by criminals to launch targeted phishing attacks in which the scammer posed as Razer or a related company. Customers could also be at risk of fraud.

 
 

He urged Razer's customers to be on the lookout for phishing attempts sent to their phone or e-mail address.

Last Thursday, ride-hailing operator Grab was fined $10,000 for failing to secure its drivers' and passengers' personal details on its mobile app, the fourth time in two years that it has been found to have breached data protection laws.

A software update to its ride-hailing app on Aug 30 last year inadvertently exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.

A version of this article appeared in the print edition of The Straits Times on September 16, 2020, with the headline 'Personal, shipping information of 100,000 Razer customers leaked'. Print Edition | Subscribe