SPH Magazines apologizes to customers after 685,000 profiles were viewed by hackers

The owners of the HardWare Zone technology forum have issued an apology after discovering a data breach that affected hundreds of thousands of consumers in Singapore.

The online portal, owned by Singapore Press Holdings (SPH) Magazines, was compromised last September when a senior moderator’s account was hacked.

However, the breach has only just come to light after a suspicious posting on the forum last week led to an investigation by staff.

SPH revealed yesterday that the unidentified hacker has viewed an approximate 685,000 registered profiles, making this Singapore’s largest security breach to date.

Exposed data includes customer names, email addresses, and user IDs.

The company confirmed it has contacted users to change their passwords and said it has reported the incident to police.

SPH “sincerely” apologized to HWZ users and said it remains “committed to protecting all personal data”.

It added that compromised data did not include National Registration Identity Card (NRIC) numbers, telephone numbers, or addresses that were purged from the company’s records in July 2015, in accordance with the Personal Data Protection Commission guidelines.

Security consultants are now conducting a review of the system, SPH confirmed.

Previously, Singapore’s largest security breach was the 2016 Uber hack, disclosed last year, in which data from 380,000 Uber customer accounts was stolen.

In November 2017 another media company, Australian state broadcaster ABC, was found to be linked to a huge commercial data breach.

A trove of data found on November 14 was apparently linked to ABC’s commercial division, which provides content marketing, distribution, and a wide range of digital services to customers around the world.

According to Kromtech security researchers, the publicly accessible S3 buckets included “several thousand” emails, logins, and hashed passwords.

The repositories also included requests for licensed ABC content from global television and media producers, secret access key and login details for a separate video content repository, and 1,800 daily MySQL database backups from 2015 to present.

While Kromtech said it immediately sent notification emails to the database owners, who secured the S3 repositories “within minutes”, the researchers said it was unclear who else may have had access to the company’s data or content.