In both Singapore and Malaysia, government agencies are hot on the heels of an e-commerce platform’s breach investigation and mitigation plans.

In the recent ShopBack data breach, the firm had claimed they became aware of an authorized access to its system ‘a few days’ earlier, involving personal customers data.

Investigations to determine how much data has been exposed are still ongoing. ShopBack had also suggested that their customers change their passwords as an “added precautionary measure” even though supposedly, account passwords are encrypted.

Concurrently in Malaysia, the Department of Personal Data Protection (JPDP) said it will seek feedback from ShopBack Cashback Sdn Bhd regarding a recent personal data breach there.

In a JPDP statement, ShopBack was said to have discovered an incident involving unauthorized access to its systems containing customers’ personal information, such as names, contact information, dates of birth and bank account numbers, on Sept 17. It was then notified of the situation by a representative appointed by ShopBack on Sept 25.

The government agency said ShopBack had pledge mitigation plans to prevent the breach from further escalation. The firm said it will “work closely with relevant authorities to measure the severity of the personal data breach in line with the Personal Data Protection Act 2010 (Act 709)” as it viewed the breach seriously.

An expert’s view

Attempts to compromise systems are in continuous motion, and this requires businesses to implement monitoring programs to detect unauthorized access. Unfortunately, according to a senior security strategist, the time that a cybercriminal gains access to a system and the actual date when they attempt to profit from such access, can be separated by days and even months.

“For example, if a criminal has access to login credentials for an employee, it’s likely that they will test those credentials to ensure they are valid and then create a plan to profit from the access granted. Part of the risk in testing such credentials is the unknown level of sophistication used by the business in their monitoring,” said Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group.

For example, an active login outside of normal work hours would be something security teams might be on the lockout for, and thus would indicate something unusual that needs investigation. Such investigations may take a day or two to complete, but while worrying, a few days’ delay in detection is far quicker than the average length of time to identify and contain a personal data breach globally: currently cited to be over six months, according to a 2020 Cost of a Data Breach report by IBM.