Data of 4,749 KrisShop customers exposed after phishing attack
SIA in-flight retailer contacting those affected and is reviewing its systems and processes
Sign up now: Get ST's newsletters delivered to your inbox
The personal information of 4,749 KrisShop customers was exposed to an unknown party after a phishing attack targeted an employee account of the Singapore Airlines in-flight retailer.
Personal data exposed included names, e-mail addresses, residential addresses, contact numbers and KrisShop e-voucher numbers.
The bank account numbers of about 165 customers, as well as the KrisFlyer account numbers of 17 people, were also exposed.
"Based on our investigations, the data did not include any password or credit card information, as the files did not include such information," a KrisShop spokesman told The Straits Times yesterday.
On March 8, KrisShop discovered that the work account of one of its employees was illegally accessed by an external party as a result of the phishing attack.
The spokesman did not give details of the attack or the identity of the external party.
"The affected account was locked as soon as we were alerted to the phishing attack, and investigations began immediately," said the spokesman.
"Upon further investigations, we found that files containing data involving 4,749 individuals may have been exposed due to this incident."
The spokesman said the exposed files were encrypted.
The Personal Data Protection Commission was notified last Thursday, after the information required for KrisShop to make a report was verified internally by the company.
Apologising to affected customers for the incident, KrisShop said it is in the process of contacting them and will be offering any assistance that they may require.
The affected KrisShop e-vouchers have also been cancelled and replaced.
Customers who have any queries may contact the retailer at KrisShopCustomerCare@krisshop .com
The company has reviewed its systems and processes together with Singapore Airlines, and concluded that the breach was an isolated incident that came about because of human error.
None of its other databases or systems had been compromised.
"The protection of our customers' personal data is of utmost importance to KrisShop," said the spokesman. "We will continue to take steps to strengthen our systems and processes."
Phishing attacks have made the news recently. They include SMS phishing scams targeting OCBC Bank customers in December last year and January, which saw 790 people lose $13.7 million in total.
At least 72 people have lost over $109,000 to a phishing scam on online marketplace Carousell, the police said in a statement on March 3.
Pretending to be buyers, fraudsters would tell sellers that they would pay them via CarouPay, an in-app payment feature. The victims would then receive an e-mail purportedly sent from Carousell stating that payment was made, but they needed to access a link in the e-mail to receive it.
The link would redirect them to fraudulent websites masquerading as bank websites, where they would be asked to give their banking details and one-time password in order to receive payment.
"Victims would realise that they had been scammed only when they discovered unauthorised transactions made from their bank accounts," the police had said.

