Love, Bonito Fined S$24,000 Over Company Breach That Compromised Personal Data
These days, buying something is as simple as going online, choosing the items we want, and keying in our payment details.
However, the processes behind the scenes are more complicated than we think. When something goes wrong, the consequences can be dire.
On Thursday (19 May), popular fashion label Love, Bonito was fined S$24,000 for failing to protect the personal information of over 5,500 customers in 2019.
The data breach had to do with an administrator account of software used by the company to manage its e-commerce website.
PDPC says Love, Bonito security measures were inadequate
According to The Straits Times (ST), the Personal Data Protection Commission (PDPC) said in their report that Love, Bonito’s password policy for its website management software accounts was not strong enough.
Previously, the company had adopted the software’s default security settings, such as a required password length and maximum login attempts.
However, these were not enough to prevent breaches, said PDPC. For example, they could have made it compulsory for customers to update their passwords regularly.
The default security settings of the software also did not make it compulsory for employees to refrain from using passwords that can be easily guessed.
For example, one of the administrator accounts, according to the PDPC, had “ilovebonito88” as the password.
Such passwords made it easy for hackers to guess and made the company vulnerable to brute-force attacks.
This refers to a common way of guessing passwords by trying any possible combination of letters, numbers and symbols.
Love, Bonito customers’ data leaked to third party
According to ST, the PDPC found that Love, Bonito had failed to implement reasonable security arrangements to protect their customers’ personal data, such as first and last names, phone numbers, and credit card details.
As a result, an administrator account of a software used by Love, Bonito to manage its website, was used by a mysterious third party to gain access to customers’ data.
An unauthorised programming code was added to the website, allowing customers’ credit card information to be transferred to an unknown third party.
The findings were uncovered by the company’s investigations, its digital solution providers, and a private forensic investigator.
In Nov 2019, the company discovered that its check-out page was incorrectly configured after noticing a dip in credit card authorisations.
Unknown to them, when customers tried to make payments, their credit card information was sent to a third party instead of Love, Bonito. Even though the issue was fixed, the same problem occurred in Dec 2019.
Investigations found that the problem was caused by a code that ran every time customers accessed the website’s check-out page to pay for their orders, along with the unauthorised use of said administrator account.
Love, Bonito then informed their customers of the breach on 13 Dec 2019 and advised them to check with their banks.
Hope companies will be more responsible
When it comes to technology, there’s always more than meets the eye. Many of us might not have been aware of the technical complexity behind a seemingly simple e-commerce website, as well as the risks involved.
Nevertheless, it is the responsibility of every company to protect the personal information of their customers who have placed their trust in them.
Hopefully, Love, Bonito will use the feedback from PDPC to implement a more robust security system so that such incidents will not happen again.
Have news you must share? Get in touch with us via email at firstname.lastname@example.org.
Featured image adapted from TheSmartLocal.