Details of how the breach occurred are scarce, but victims of the department store data leak must take immediate action.

Just weeks after a bank in Singapore was used as bait in phishing scams causing losses totaling S$8.5m, another Singapore business has been linked to a data breach.

According to the country’s local media, on 6 Jan 2022, a department store chain called OG has had its customer membership database—stored and managed by a third party—breached.

Data involved includes names, mailing/email addresses, mobile numbers, gender and dates of birth. According to the department store management, no financial information such as credit card numbers, were involved. Its spokesman and the official press statement did not reveal how many members are affected by the breach.

Apparently, this incident is again a case of a firm’s vendors being the weak link, as in Singtel’s and Fullerton Health’s breaches in the country last year involving third-party vendor breaches.

Plugging the weakest link

According to Jeffrey Kok, VP (Solution Engineers), CyberArk Asia Pacific and Japan, the trending increase in ransomware amounts has caused the value of stolen personal data to increase, leading to more phishing attacks, scams, social engineering and other campaigns. “Monitoring and controlling access rights and privileges is crucial to maintaining a strong security posture. The current landscape has brought about opportunities for attackers to leverage, and retailers and other businesses need to proactively ensure they secure powerful privilege accounts and keep sensitive customer data safe. This is because attackers who gain access to privileged accounts can potentially elevate privileges and move laterally throughout the network to accomplish their goals that could be as serious as executing a complete network takeover”.

As always, customers affected data breaches should be on round-the-clock alert for unsolicited calls, SMS and emails. They should immediately change all their access passwords, and remind people in their contact list to be vigilant of any ruses making use of the victim’s identity.

Kok added that in Singapore, businesses working with third-party vendors could consider independent audits, red team and penetration testing to ascertain that third-party vendors meet expectations of  rigor, due diligence, security controls and governance in cybersecurity.

Also, readers of CybersecAsia and its email newsletter would by now be familiar with the routines for handling phishy emails and SMSes.