Loyalty marketing agency Ascentis fined S$10,000 following data breach of over 300,000 Starbucks Singapore’s customers

SINGAPORE – A loyalty marketing agency, Ascentis, has been fined S$10,000 in the wake of a data breach affecting over 300,000 members of Starbucks Singapore’s rewards membership program.

The breach, which occurred in September 2022, resulted in the personal data of 332,774 Starbucks Singapore customers being offered for sale on a dark web forum.

Ascentis, the developer of an e-commerce platform for Starbucks Singapore, cooperated with investigations and took prompt remedial actions, according to the Personal Data Protection Commission (PDPC) judgment released on Nov 10.

The agency had been engaged by Starbucks Singapore since 2014 to support its loyalty program, and in 2020, it was tasked with developing and providing ongoing technical support for the e-commerce platform.

Data breach involving Starbucks Singapore’s e-commerce platform

Ascentis enlisted the services of an overseas vendor, Kyanon Digital, situated in Vietnam, to offer extra manpower and support for software development.

Nevertheless, even with Kyanon’s participation, Ascentis retained control and oversight of the project.

Administrative accounts on the e-commerce platform were provided to Kyanon employees, conferring full administrative privileges, including the authority to export data from the platform.

Notably, these administrative accounts did not mandate the use of multi-factor authentication during that period.

The breach was facilitated when a  former employee of Kyanon Digital left the company. The employee, named Peter, left in May 2022 and handed over his account credentials to the remaining members of the project team via a Google Sheet.

However, his admin account remained active; Kyanon employee opted to change the password, updated the Google Sheet with the new password, and proceeded to utilize the account without disabling it.

As per the PDPC, a malicious actor gained unauthorized access to this account and gain access to the e-commerce platform between Sep 10 and 13, 2022.

Subsequently, this individual exfiltrated the personal data of 332,774 individuals, including names, email addresses, birth dates, membership details, physical addresses, and telephone numbers.

Ascentis stated to the PDPC that it did not know how the third party got the data.

The PDPC speculated in its judgment that it could have been through an external Google Sheet where the exported data was stored.

The Singapore Computer Emergency Response Team (SingCERT) informed the PDPC about the occurrence on September 13, 2022.

Following this, Starbucks Singapore and Ascentis individually presented data breach notifications to the PDPC on September 15 and 16 of the same year.

PDPC judgement: Ascentis fined S$10,000 over data breach

In its judgment, the PDPC found that Ascentis failed to disable Peter’s admin account promptly, and the account was not adequately protected with a complex password.

By Ascentis’ own admission, it bore the responsibility for both creating and managing admin accounts.

Moreover, the agency’s password management practices were deemed insufficient, as the new password incorporated easily guessable elements.

Ascentis informed the PDPC that the recently set password adhered to the platform’s password complexity criteria, which included a minimum length of eight characters, at least one uppercase and one lowercase letter, one special character, and the condition that it should not match the account’s previous five passwords.

However, the PDPC emphasized its position that adhering to password complexity requirements on “mere technical compliance” is insufficient if the password remains susceptible to guessing.

In this particular instance, the new password included the term “Kyanon@” and a consecutive series of numbers.

“While the immediate cause for the weak new password and insecure sharing of the credentials for Peter’s admin account may have been the Kyanon employees, (Ascentis) could have managed this better by specifying clearer data protection requirements to Kyanon as part of its involvement in the project, including in relation to account management,” the PDPC added.

The PDPC highlighted the importance of multi-factor authentication and assigning admin rights only to necessary employees as preventive measures.

While acknowledging Ascentis’ cooperation with investigations and prompt remedial actions, the PDPC imposed a fine of S$10,000, taking into account the severity of the breach and the agency’s responsibility for the incident.

Starbucks Singapore’s security measures post data breach

Starbucks Singapore, while not directly responsible for the breach, voluntarily undertook enhanced security measures and cooperated with the PDPC’s remediation plan.

The coffee chain emphasized that it does not store credit card information and assured customers that their stored value, rewards, and credits in the Starbucks Rewards membership remained intact.

The PDPC, in its judgment, suggested that Starbucks Singapore could further improve its contractual stipulations and handling of data intermediaries.

The commission determined that Starbucks Singapore complied with the terms of its voluntary undertaking, which included the implementation of two-factor authentication and IP address restriction for the admin portal of the customer database.