A SERVER misconfiguration caused gaming hardware firm Razer to potentially expose the data of about 100,000 global customers, including their personal information, order details and shipping information.
Credit card numbers and passwords were safe, said the company.
The data breach was discovered on Aug 18 by cyber security consultant Volodymyr Diachenko, who estimated the total number of affected customers to be around 100,000, based on the number of e-mail addresses exposed.
Razer confirmed the figure on Wednesday evening, in response to queries from The Business Times. The company began notifying affected customers on Wednesday after the incident was reported by the media.
Singapore’s Personal Data Protection Commission (PDPC) is aware of the incident and is looking into the matter, a spokesperson told BT.
In a LinkedIn post on Sept 10, Mr Diachenko said that the server had been misconfigured for public access since Aug 18, 2020. He immediately notified the company, but his message was processed by non-technical support managers for more than three weeks, he said.
He found that information of customers exposed on the web included full names, e-mail details, phone numbers, customer internal IDs, order numbers, order details, and billing and shipping addresses.
In a statement on Tuesday, Razer said the server misconfiguration was fixed on Sept 9.
The company, which is bidding for a digital banking licence in Singapore, said: "We sincerely apologise for the lapse and have taken all necessary steps to fix the issue, as well as conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers."
Mr Diachenko said the customer records could be used by criminals to launch targeted phishing attacks, in which the scammer poses as Razer or a related company.
"Customers should be on the lookout for phishing attempts sent to their phone or e-mail address. Malicious e-mail or messages might encourage victims to click on links to fake login pages or download malware onto their device," he wrote.
Other companies have also recently been found guilty of putting their customers' data at risk. Last Thursday, Singapore's privacy watchdog disclosed in a decision paper that it had fined ride-hailing firm Grab S$10,000 in July after the data of about 21,500 drivers and passengers was put at risk of unauthorised access.
In March, the PDPC slapped a S$32,000 fine on the Central Depository after it mailed dividend cheques to outdated addresses, compromising the safety of some 200 account holders' data.