Singapore — A cyber-security consultant has reported that, due to a server misconfiguration, Singapore-based gaming device maker Razer accidentally exposed the personal data of more than 100,000 customers from Aug 18 to Sept 9.
The consultant, Mr Volodymyr Diachenko, who runs the firm Security Discovery, discovered the breach at Razer’s online store and found that personal data such as customers’ full name, email, phone number, customer internal ID, order number, order details, billing and shipping address were left exposed.
Revealing that the data was available for public access for close to a month, Mr Diachenko wrote in a LinkedIn post: “Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.”
Mr Diachenko quickly contacted Razer and informed the company about the breach but his message did not receive immediate attention. He wrote online: “My message never reached right people inside the company and was processed by non-technical support managers for more than 3 weeks until the instance was secured from public access.”
Razer acknowledged the data breach in a statement sent to the cyber-security expert more than three weeks after he contacted the firm. Revealing that the lapse was rectified on Sept 9, the company said that no “sensitive information” such as payment details were leaked and that the issue was fixed before it was made public.
A statement issued by Razer, available on Mr Diachenko’s post, states: “We were made aware by Mr Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed.
“The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public. We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensure the digital safety and security of all our customers.”
In his post, Mr Diachenko warned that Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data.
Calling on Razer customers to be vigilant, he said:
“Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device.”
Read his post in full here.
/TISG