Singapore’s Personal Data Protection Commission (PDPC) has levied a S$10,000 fine on Ascentis, the developer behind Starbucks Singapore’s e-commerce platform, following a data breach impacting over 300,000 members of Starbucks’ rewards program.
The breach, which occurred last year, compromised personal data such as names, addresses, emails, phone numbers, and birth dates of 332,774 Starbucks Singapore customers. This data, stored on a cloud database for the My Starbucks Rewards program, was unlawfully accessed and subsequently advertised for sale on the dark web.
The breach stemmed from security vulnerabilities in the e-commerce platform’s management. Ascentis failed to deactivate an employee’s admin account after they left their role, allowing unauthorized access. Moreover, the account lacked adequate protection, using a weak password that incorporated the company name and a sequential series of digits, falling short of robust security standards.
The PDPC emphasized that mere compliance with password complexity requirements is insufficient if passwords remain easily guessable. They recommended more stringent password policies and highlighted the importance of implementing multi-factor authentication, acknowledging the challenges faced by Ascentis due to pandemic-induced manpower shortages.
Although Ascentis cooperated with investigations and promptly addressed the breach, the PDPC held them accountable for the incident due to lapses in managing admin accounts and implementing robust security measures.
Starbucks Singapore, while not directly responsible for the breach, volunteered to enhance its security protocols. It undertook measures such as implementing two-factor authentication and IP address restrictions for database access, complying with its voluntary commitment to improve data protection practices.
In response to the breach, Starbucks assured customers that their credit card information was not stored in their systems and implemented additional security measures to safeguard customer data.