Singapore Airline's KrisShop Retail Portal Targeted by Phishing Attack
KrisShop, Singapore Airlines’ online and inflight retailer, was the target of a recent phishing attack. The attack on an employee’s work account exposed the personal data of 4,749 KrisShop customers to an unknown party. The incident is another reminder of the perils of storing data online and the ongoing effort to prevent unauthorised access to that data.
The Straits Times reported on 17 March 2022 that a spokesman for KrisShop spoke to them about the incident, which took place on 8 March. The report noted that some of the exposed data include names, email addresses, residential addresses, contact numbers and e-voucher numbers. Also, 165 customers had their bank account details exposed along with 17 KrisFlyer member account numbers.
The spokesman said that the most sensitive data did not get exposed. These include passwords and credit card information which would have enabled third parties to attempt unauthorised transactions on KrisShop. He did not give further details on the attack and who was responsible for it.
However, the KrisShop spokesman pointed out that the retailer took steps to address the situation as soon as the attack was discovered. Among the steps included locking the account to prevent further access, encrypting the affected customer data and reporting the matter to Singapore’s Personal Data Protection Commission on 10 March 2022, two days after the incident occurred.
In announcing the incident, KrisShop apologised to those affected by this latest phishing attack and promised to assist them in any way they could. The retailer also cancelled and replaced those vouchers whose numbers were exposed to phishing. The company said that, following a review jointly conducted with Singapore Airlines, the incident was an isolated one. It was caused by human error and other databases and systems were not compromised. They reassured customers that data privacy and security are a top priority for them.
This attack is the latest in a string of phishing attempts and scams involving Singapore’s flag carrier. A year ago, ZDNet reported that a third-party IT vendor to whom Singapore Airlines entrusted frequent flyer data was the target of a phishing attack. This attack compromised the data of up to 580,000 customers. However, as the amount of data was limited only to that which SIA could share with its Star Alliance counterparts, the attack’s impact was minimal. In 2019, the airline warned customers of a phishing scam promising free tickets in exchange for disclosing sensitive personal data.
KrisShop started life as Singapore Airlines’ inflight duty-free shop in 1974. Since then, the shop has become a full-blown online and inflight retailer. The shop still carries such duty-free staples as perfume, electronics, travel souvenirs and wines and spirits. It also has specialty shops selling items from Singapore-based companies and social enterprises. One notable feature is a shop selling items featuring SIA’s signature batik motif.
Phishing attacks and scams have been around since the dawn of the internet. There are several ways to prevent one’s data from being compromised. These include checking site security, having updated antivirus and firewall software and being careful about clicking links. Most of all, unless the portal is secure, one should not share sensitive personal and financial information online.
KrisShop, Singapore Airlines’ online and inflight retail service, was the target of a phishing attack earlier in March 2022. The attack involved an employee’s work account.
The phishing attack exposed the personal data of 4,749 customers, including email addresses and shop e-vouchers. No passwords or credit card numbers were accessed in the breach.
KrisShop says that this incident was an isolated one and that they took steps to secure the affected data. They are prepared to help affected customers with their concerns.