[BreachExchange] L’Oreal Singapore let off with a warning for personal data breach

[Destry Winant]

https://www.marketing-interactive.com/loreal-singapore-let-off-with-a-warning-for-personal-data-breach/

L’Oreal Singapore had compromised customers’ profile information, due
to failure of security arrangements on its eCommerce website.
According to the Personal Data Protection Commission (PDPC), details
such as names, email addresses, postal addresses, mobile number and
date of birth of seven individuals were exposed.

In a case filing document seen by Marketing, PDPC said L’Oreal
operated a website which had a login portal that enabled its customers
to view their profile information, redeem vouchers and make enquiries
about customer points. The beauty company engaged a vendor to make
coding changes to the website in November 2018, but failed to run
checks on its login and caching functions after the code changes were
introduced.

As a result, customers who logged into the dedicated customer login
page will have his or her personal data cached, and disclosed to other
customers who subsequently logged in to the same page until the cache
was refreshed. Similarly, the personal data of the second customer who
logged in after the cache refresh, would be cached, leading to
disclosure of his or her details revealed to the third customer who
logs in next.

According to PDPC, L’Oreal had engaged a consultant to assist in its
investigations into the matter and to provide recommendations to
prevent similar incidents in the future. The commission said that
L’Oreal had completed all necessary and appropriate tests based on the
foreseeable impact of the requested changes to its website, but failed
to include the foreseeable scenario of multiple users logging in
sequentially. However, the commission will not slap a fine to L’Oreal
and will give a warning to the company.

Recently, there has been a number of data breaches in Singapore. In
December 2019, Love, Bonito confirmed that its eCommerce website was
breached and about 3% of its customers may have possibly had their
personal information exposed. In a statement to Marketing then, a
Love, Bonito spokesperson said the breach affected local and
international customers.

Months earlier, Sephora confirmed a data breach, compromising personal
information of some customers who have used its online services in
Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR,
Australia and New Zealand. In an email to consumers seen by Marketing,
Alia Gogi, managing director SEA, Sephora said the breach occurred
over the last two weeks but did not clarify the exact number of those
affected.