SINGAPORE: The developer of an e-commerce platform owned by Starbucks Singapore has been fined over a data breach that affected more than 300,000 members of the coffee chain’s rewards membership programme. In its judgment released on Nov 10, the Personal Data Protection Commission (PDPC) fined the developer S$10,000 and said that the developer, Ascentis, was first hired by Starbucks Singapore in 2014.
In 2020, Starbucks Singapore engaged Ascentis to develop, provide and render ongoing technical support for its e-commerce platform. Customers would be able to buy Starbucks products through the platform. Ascentis then engaged an overseas vendor – Kyanon Digital, a Vietnam-based company – to provide additional manpower and software development support. Ascentis said that it still maintained control and management over the project. However, Kyanon employees were given accounts on the e-commerce platform with full administrative privileges, including being able to export data from the platform.
In May 2022, a Kyanon employee named Peter left the company and handed over his account credentials to the remaining project team members via a shared Google Sheet. Sometime between Sept 10 and 13, 2022, a malicious actor used this account to gain access to the e-commerce platform.
The breach came to light in September last year after the personal data of 332,774 Starbucks Singapore customers was sold on a dark web forum. Information such as contact details and account membership information such as names, physical addresses, email addresses, telephone numbers and birth dates were put up for sale. The data collected from those who signed up for the My Starbucks Rewards loyalty programme was stored on a cloud database.
The PDPC said that it recognised that Ascentis cooperated with investigations, took prompt remedial actions, did not previously breach the Personal Data Protection Act, and voluntarily accepted responsibility for the incident. It also added that it was satisfied the data breach could not be directly attributed to Starbucks Singapore since internal lapses by Ascentis had caused the breach.
In October last year, the maximum amount a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher. Previously, organisations that violated the Personal Data Protection Act faced a financial penalty of up to S$1 million.
Last year, about 330,000 Singaporean Starbucks customers’ data were found to have been breached and put up for sale on an online forum since Sept 10. The affected customers received an e-mail from the coffee chain about a data breach that compromised their personal information, including their names, home addresses, and e-mail addresses.
A spokesman for Starbucks Singapore said the coffee chain was made aware of the data breach only on Sept 13, adding that the customers affected were those who had accounts and had previously made a transaction via its app or online store.
The Independent Singapore has reached out to Starbucks Singapore for comment and clarification. /TISG