OG department store customers' personal details leaked in data breach

OG said that no financial information, such as credit card numbers, had been leaked.
The Straits Times file

SINGAPORE - There has been a leak of OG department store customers' personal data such as names, mobile numbers and dates of birth, said the retailer on Thursday (Jan 6).

In a statement to OG members, the department store said it was notified on Tuesday about the data breach, which affected members who are in either the basic or gold tiers.  

In response to queries from The Straits Times, OG said it has asked its service provider to take immediate action to manage and remediate the breach and ensure that the database is secure. 

A spokesman for OG said: “The management of OG is working closely with cyber security consultants and the authorities to strengthen our safeguards, systems and process. Our priority is to make sure customer data is safe.”

In the statement to its members, OG said its preliminary investigations indicated that the database, which had been stored and managed by an external third-party membership portal service provider, had been compromised.

“We are informing you (OG members) now so that you can take appropriate steps expeditiously to protect your online credentials,” the department store said.

The spokesman and the statement did not say how many members were affected.

[[nid:510473]]

Data that may have potentially been compromised includes the names of OG members, their mailing addresses, e-mail addresses, mobile numbers, genders, dates of birth, as well as encrypted NRIC data and passwords.

It added that no financial information, such as credit card numbers, had been leaked.

In its statement, OG said it has reported the matter to the police and other relevant authorities, including the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA).

The retailer said that affected people should be wary of phishing or impersonation attempts. It urged members who have reused their OG membership password across different websites or platforms to change their passwords immediately to avoid any possible compromise of their other accounts.

Those affected by the incident can also enable additional security measures, such as multi-factor authentication if supported, said the retailer.

Those with questions and concerns can contact OG at pdp@og.com.sg

ST has contacted CSA and PDPC for comment.

This article was first published in The Straits TimesPermission required for reproduction.