Singapore-based OG department store said in a statement that on January 4, it was notified of a data breach, which affected members in its basic and gold categories.

OG said the breached database, which had been stored and managed by an external third-party membership portal service provider, was indeed compromised.

“While the extent of the incident is still being investigated, we are informing you (OG members) now so that you can take appropriate steps expeditiously to protect your online credentials,” the department store said.

Possibly compromised data

Data that may potentially have been compromised include the names of OG members, mailing addresses, email addresses, mobile numbers, genders, dates of birth, cryptographically-hashed NRIC (National Registration Identity Card) data, as well as cryptographically-hashed passwords to the member accounts.

The potentially compromised data did not include any unencrypted NRIC numbers, or any financial information, such as credit card numbers. OG said it has not collected any NRIC data since 2019, and does not store its customers’ financial information.

The data breach was said to be limited to one isolated member database. It does not affect any past or future purchases made at OG or at its online stores on og.com.sg or Shopee.

The department store, however, did not disclose how many members were affected by the breach.

Security measures for affected members

In response to the data breach, OG reported the matter to the police and other relevant authorities, including the Personal Data Protection Commission and the Cybersecurity Agency of Singapore. It is working with cybersecurity consultants as well.

The department store said affected individuals should be wary of phishing or impersonation attempts. It encourages members who have reused their OG membership password across different websites or platforms to change their passwords right away to avoid compromising their other accounts.

Affected members may also enable additional security measures, such as multi-factor authentication if supported, said OG.

Managing access rights

Jeffrey Kok, VP, Solution Engineers, Asia Pacific and Japan at CyberArk, commented on the incident, saying: “Cyber criminals and syndicates typically procure and sell personal data records to other criminals who leverage them for phishing attacks, scams, social engineering, and other campaigns. In addition, ransom amounts have increased, making it even more compelling for attackers to gain possession of such confidential information.”

Kok believes that monitoring and controlling access rights and privileges is crucial to maintaining a strong security posture.

“The current landscape has brought about opportunities for attackers to leverage, and retailers and other businesses need to proactively ensure they secure powerful privilege accounts and keep sensitive customer data safe,” he remarked. “This is because attackers who gain access to privileged accounts can potentially elevate privileges and move laterally throughout the network to accomplish their goals that could be as serious as executing a complete network takeover.”

Kok advised that affected customers should be wary of unsolicited calls, SMS messages, and emails. “They should never divulge passwords, OTPs, or SMS messages with anyone. As a rule of thumb, use strong passwords for different websites and avoid reusing passwords.”

Organisations may also consider adopting Singpass as an authentication option, said Kok. This enables users to sign in with Singpass rather than having to manage a separate set of usernames and passwords for other sites.

“In addition, businesses working with third-party vendors could consider independent audits, red team assessment, and penetration testing to ascertain that their third-party vendors have the expected rigour, due diligence, security controls, and governance,” Kok recommended.