14 January 2022 | Asia Cyber Summary

Updated: Feb 7

In the Spotlight this Week:

  • Singapore retailer OG hit by data breach

  • Clarins hit by security breach, SG customers' personal details at risk

  • NPC orders Comelec to explain alleged data breach

  • Signal CEO resigns, WhatsApp co-founder takes over as Interim CEO

  • Salesforce mandates MFA by default

Singapore Retailer OG Hit by Data Breach

The personal data of Singapore retailer OG’s basic and gold members was reportedly compromised in the latest data breach in the city-state. In a statement to OG members, the retailer said a breached database containing personal data of the affected members had been stored and managed by an external third-party membership portal service provider.

The potentially compromised data include members’ names, mailing addresses, email addresses, phone numbers, genders, dates of birth, cryptographically hashed national identity card numbers, as well as cryptographically hashed passwords to the member accounts. OG said the data breach was limited and confined to one isolated database on its members and did not affect any past or future purchases made at OG or at its online store.

Clarins Hit by Security Breach, SG Customers' Personal Details at Risk

French cosmetics company Clarins has been hit by a data security incident which may involve Singapore customers’ personal information. The company said in a statement on its website that the incident was due to a critical vulnerability in a widely used software known as Log4j.

Clarins said it deeply regrets the incident, adding that it promptly implemented security patches to prevent a recurrence of such an attack. The company added that it is working closely with law and security experts to ensure that the incident is properly addressed and it has also notified the security breach to the Singapore Personal Data Protection Commission (PDPC).

NPC Orders Comelec to Explain Alleged Data Breach

The National Privacy Commission directed the Commission on Elections to explain the alleged hacking of its servers. The NPC set a virtual “clarificatory meeting” with Comelec and Manila Bulletin on Jan. 25 to discuss the news organization’s report on the supposed data breach.

“The Comelec must address the serious allegations made in the Manila Bulletin news report and determine whether personal data were indeed compromised, particularly personal information, sensitive personal information, or data affecting the same, which were processed in connection with the upcoming 2022 national and local elections”, said Privacy Commissioner John Henry Naga in a statement.

Signal CEO Resigns, WhatsApp Co-Founder Takes Over as Interim CEO

Moxie Marlinspike, the founder of the popular encrypted instant messaging service Signal, has announced that he is stepping down as the chief executive of the non-profit in a move that has been underway over the last few months.

"In other words, after a decade or more, it's difficult to overstate how important Signal is to me, but I now feel very comfortable replacing myself as CEO based on the team we have, and also believe that it is an important step for expanding on Signal's success”, Marlinspike said in a blog post on Monday. Executive chairman and WhatsApp co-founder Brian Acton will serve as the interim CEO while the search for a replacement is on.

Salesforce Mandates MFA by Default

From the 1st February 2022, “Salesforce will begin requiring customers to enable multi factor authentication (MFA) in order to access Salesforce products”. This came in an official announcement from the company. From that point onwards, “all internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA for every login”.

MFA has been a recommended setting for most business access for years but never has a major service provider insisted customers use it as a precondition of service. Even Google and Microsoft, both big advocates for MFA, do not implement it by default to access their services.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.