SIA's in-flight retailer KrisShop targeted in phishing attack, data of 4,749 customers exposed

Personal data exposed in the KrisShop breach included names, residential addresses, contact numbers, and e-voucher numbers. ST PHOTO: JASON QUAH

SINGAPORE - The personal information of 4,749 KrisShop customers was exposed to an unknown party after a phishing attack targeted an employee account of the Singapore Airlines' in-flight retailer.

Personal data exposed included names, e-mail addresses, residential addresses, contact numbers and KrisShop e-voucher numbers.

The bank account numbers of about 165 customers, as well as the KrisFlyer account numbers of 17 people, were also exposed.

"Based on our investigations, the data did not include any password or credit card information, as the files did not include such information," a KrisShop spokesman told The Straits Times on Thursday (March 17).

On March 8, KrisShop discovered that one of its employees' work account was illegally accessed by an external party due to a phishing attack.

The spokesman did not give details of the attack and the identity of the external party.

"The affected account was locked as soon as we were alerted to the phishing attack, and investigations began immediately," said the spokesman.

"Upon further investigations, we found that files containing data involving 4,749 individuals may have been exposed due to this incident."

The spokesman said the exposed files were encrypted.

The Personal Data Protection Commission was notified on March 10, after the information required for KrisShop to make a report was verified internally by the company.

Apologising to affected customers for the incident, KrisShop said it is in the process of contacting them and will be offering any assistance that they may require.

The affected KrisShop e-vouchers have also been cancelled and replaced.

Customers who have any queries may also contact the retailer at KrisShopCustomerCare@krisshop.com

The company has reviewed its systems and processes together with Singapore Airlines, and concluded that the breach was an isolated incident that came about due to human error.

None of its other databases or systems had been compromised.

"The protection of our customers' personal data is of utmost importance to KrisShop," said the spokesman.

"We will continue to take steps to strengthen our systems and processes."

Phishing attacks have made the news recently.

They include the recent SMS phishing scams targeting OCBC Bank customers in December last year and January this year, which saw 790 people lose $13.7 million in total.

At least 72 people have lost over $109,000 to a phishing scam on online marketplace Carousell, the police had said in a statement on March 3.

Pretending to be buyers, the fraudsters would tell the victim sellers that they would be paying them via CarouPay, an in-app payment feature.

The victims would then receive an e-mail purportedly sent from Carousell, stating that payment was made but they needed to access a link in the e-mail to receive it.

The link would redirect them to fraudulent websites masquerading as bank websites, where they would be asked to give their banking details and one-time password in order to receive payment.

"Victims would realise that they had been scammed only when they discovered unauthorised transactions made to their bank accounts," the police had said.

Join ST's Telegram channel and get the latest breaking news delivered to you.