Background 

On 13 September 2022, the Personal Data Protection Commission (the “Commission”) reached out to Starbucks Coffee Singapore Pte. Ltd. (the “Organisation”) after receiving information that personal data purporting to belong to the Organisation’s customers were available for sale online.

The Organisation lodged a data breach notification to the Commission on 15 September 2022 and confirmed that its customer database, managed by its data intermediary, Ascentis Pte. Ltd. (“Ascentis”), was compromised by an unknown threat actor. As a result, the personal data of approximately 332,774 individuals including their names, phone numbers, email addresses, addresses, date of birth and membership information was compromised.

Investigations revealed that the personal data breach could not be directly attributed to the Organisation but had occurred due to internal lapses on Ascentis’ end. Ascentis had engaged an overseas vendor, Kyanon Digital Co. Ltd (“Kyanon”) which was based in Vietnam, to complement and be part of the development team to assist in its project implementation for the Organisation. However, Ascentis failed to implement reasonable administrative and technical measures to ensure that Kyanon was in compliance with its IT policies and standards.

Remedial Actions

After the incident, as part of a remediation plan, the Organisation implemented the following:

(a)Requested its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database;

 

(b) Reset the application programming interface as a precautionary measure;

(c) Audited the processes of its vendor and require them to improve on its monitoring and security processes;

(d) Reviewed its existing contracts with 3^rd party vendors; and

(e) Notified all affected customers.

Undertaking 

The Commission accepted the Undertaking as it was satisfied that notwithstanding that the cause of the data breach occurred due to the internal lapses by Ascentis, the Organisation could further improve on the contractual stipulation and handling of its data intermediaries.

The Organisation has since updated the Commission that it has fully implemented its remediation plan. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking

Please click here to view the Undertaking.