Popular fashion e-retailer Zalora.sg has denied that its email database has been breached or sold to third parties, in the most recent case involving an alleged compromise in personal data protection. The issue was first exposed by online satirical site SMRT Feedback (Ltd) yesterday, showing a screenshot of an email sent by the data seller.
“Hi friends, this is not Zalora’s customer data. I have just double checked with myself for each of the order_id(s) showed and confirm that,” Dat Le, Head of Data for Zalora.sg, wrote on his personal Facebook page.
He added that the 900,000 emails allegedly offered by the seller was “not even close” to the number of Singapore customers the website has. He posted a similar clarification write-up on SMRT Feedback’s Facebook page, gathering more than 29 ‘likes’ as of 11pm yesterday.
Dat Le explained that his team cross-checked order IDs against the customers’ email addresses and found no match. For example, order IDs 287151 and 287155 were not by customer emails ending with “oo.com.sg”.
Among the promises made by the seller –whose name was blurred in the attached image- was a 6-month guarantee on any invalid email address for free and a 1.2% sales order after purchase of the alleged 900,000 emails. It is not known who sent and how SMRT Feedback Ltd received the email.
The price offered to the recipient was S$4,500, a discount from the S$6,000 charged normally. An excel spreadsheet detailing the information such as the order ID, email address and even the billing address was also shown on SMRT Feedback (Ltd)’s Facebook page too.
One Zalora customer Vulcan Post spoke to was sceptical of exposed email but did not rule out its authenticity entirely. Shah, 20, said: “I think it’s pretty suspicious but then again, I guess it’s not all trustworthy? After all, it’s the internet … It’s not all true neither it is all false.”
Nevertheless, a few customers have gone to Zalora’s Facebook page for clarification, to which the e-retailer has confirmed is not true, adding that the team takes its “customers’ personal data privacy very seriously”.
This is not the first time a customer database was leaked to the public. In September this year, the membership database of more than 300,000 K Box customer was divulged online. The incident was believed to have been executed by hackers.
With effect from 2nd July this year, data of consumers living in Singapre are protected under the Personal Data Protection Act (PDPA). Any organisation found by the Personal Data Protection Council (PDPC) to be in breach of any of the data protection provisions in the PDPA may be obliged to destroy the personal data collected in contravention of the Act or pay a financial penalty of an amount not exceeding $1 million.
The horrendous grammar used in the email kind of eroded the legitimacy of the source. Nonetheless, it could also indirectly confer credence to a scenario whereby the e-retailer’s database was indeed extracted by hackers from non-English speaking countries.
One thing for sure is that the database is definitely from Singapore as shown by the billing column and based on the low product count (in this case, most orders had a low basket size of 2), the affected retailer could likely belong to the fashion or third party ecommerce industry.
Thus, as a user, you have the right to be concerned and quell your anxiety by making an official enquiry with the PDPC. All you need to do is to write an email to firstname.lastname@example.org.
[Update]: SMRT Ltd. (Feedback) has amended its Facebook post with this update:
Update: Zalora has clarified that the below screenshot is not from their database. Upon further checking, we found that below data source comes from Deal.com.sg.
Zalora has also contacted Vulcan Post with an official statement:
ZALORA is aware that there is a claim circulating on the internet that someone got hold of the ZALORA customer database and that this database is now being sold in the market. We’ve checked our database log and information and we confirm that the screen capped database that is posted is NOT our database.
We would like to assure our online shoppers that we follow a comprehensive personal data protection policy and our database is secured behind several layers of protection and access control, with detailed audit logs for monitoring.
Our customer database is extremely secure and has never been sold, monetized or shared with third parties. We do not compromise on our customer’s privacy. Moreover we are committed to finding more ways of keeping our database as secure as possible, as customer data privacy is of the utmost importance to us.
As a leading ecommerce player, ZALORA recognizes that customer data security is sacrosanct and we built our organization and ZALORA systems with this in mind.
SMRT Ltd. (Feedback) has said on its Facebook page that it will not pursue the data leak issue:
We have no interest in pursuing Zalora, Reebonz or Deals.com.sg on the issue of the personal data leak, neither are we releasing anymore details regarding this.
All we are interested in at the moment, are mugs of teh tarik at Arab street.