A SERVER misconfiguration caused gaming hardware firm Razer to potentially expose the data of about 100,000 global customers, including their personal information, order details and shipping information.
Credit card numbers and passwords were safe, said the company.
The data breach was discovered by cyber security consultant Volodymyr Diachenko, who estimated the total number of affected customers to be around 100,000, based on the number of e-mail addresses exposed.
Razer has yet to verify this figure.
In a LinkedIn post on Sept 10, Mr Diachenko said that the server had been misconfigured for public access since Aug 18, 2020. He immediately notified the company, but his message was processed by non-technical support managers for more than three weeks, he said.
He found that information of customers exposed on the web included full names, e-mail details, phone numbers, customer internal IDs, order numbers, order details, and billing and shipping addresses.
In a statement on Tuesday, Razer said the server misconfiguration was fixed on Sept 9.
The company, which is bidding for a digital banking licence in Singapore, said: “We sincerely apologise for the lapse and have taken all necessary steps to fix the issue, as well as conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers.”
Mr Diachenko said the customer records could be used by criminals to launch targeted phishing attacks, in which the scammer poses as Razer or a related company.
“Customers should be on the lookout for phishing attempts sent to their phone or e-mail address. Malicious e-mail or messages might encourage victims to click on links to fake login pages or download malware onto their device,” he wrote.
However, Razer has yet to disclose whether affected customers were notified of their data being exposed.
Other companies have also recently been found guilty of putting their customers’ data at risk. Last Thursday, Singapore’s privacy watchdog disclosed in a decision paper that it had fined ride-hailing firm Grab S$10,000 in July after the data of about 21,500 drivers and passengers was put at risk of unauthorised access.
In March, the Personal Data Protection Commission (PDPC) slapped a S$32,000 fine on the Central Depository after it mailed dividend cheques to outdated addresses, compromising the safety of some 200 account holders’ data.
The Business Times has reached out to Singapore’s Infocomm Media Development Authority, under which the PDPC falls, for comments on Razer’s data leak.
Crdit: Source link