Carousell Personal Data Security Breach Confirmed On 14 Oct, No Credit Card Info Compromised
Carousell has become a household name for Singaporeans that’s synonymous with buying and selling items outside the traditional retail sphere.
However, the portal is now the latest local company to be hit by a personal data security breach.
The breach ended up exposing users’ email addresses and mobile numbers.
Carousell confirmed data breach on 14 Oct
In an email to affected users on Friday (21 Oct), Carousell said they confirmed the data breach on 14 Oct.
They didn’t mention why it took one week to inform users.
However, a spokesperson told Channel NewsAsia (CNA) that they sent out the alert as soon as they could.
Their priority was to ensure the issue was resolved and to assess its impact so they could notify the Personal Data Protection Commission (PDPC).
The company has already informed the PDPC and law enforcement officials and is assisting them with investigations.
Breach exposed emails & mobile numbers
In their letter, Carousell said the breach exposed the email addresses and mobile numbers of certain users in Singapore.
An unauthorised third party had accessed the personal information via a bug that was introduced during a system migration.
However, they assured users that no credit card information and details related to payments were compromised.
Identity theft unlikely: Carousell
Carousell also maintained that identity theft was “unlikely”, as users’ NRIC numbers were not among the data exposed.
However, users whose email addresses and mobile numbers were leaked would be at greater risk of falling prey to a phishing scam.
In August, the police said a Carousell phishing scam had conned victims of about S$17,000.
Thus, Carousell warned users to beware of emails or SMSes from unfamiliar sources, especially those with foreign links.
Carousell also said that hackers wouldn’t be able to access Carousell accounts as no password-related info was leaked.
If the website detects a login from a new device, it would also require Two-Factor Authentication (2FA) from a registered email address.
As long as the 2FA isn’t shared, other parties won’t have access.
Carousell apologises for breach
Though the email seemingly didn’t contain an apology to users, the Carousell spokesperson apologised in their response to CNA, saying that they “deeply regret the incident”.
They’ll be taking steps to ensure users’ personal data is not provided to unauthorised users, including adding automated and manual review processes for any external application programming interfaces (APIs).
Those who have any questions can contact the company at dpo@thecarousell.com.
Have news you must share? Get in touch with us via email at news@mustsharenews.com.
Featured image adapted from Carousell.