Starbucks SG rewards vendor fined SG$10,000 for customer data breach

Ascentis, the developer for Starbucks Singapore has been charged SG$10,000 for its failure to protect the personal data of more than 300,000 members for the chain’s rewards programme on 10 November. 

According to the Personal Data Protection Commission (PDPC), the developer had “requested and agreed for the investigation to be handled, and voluntarily provided and admitted” to the data breach. 

Don’t miss: Marina Bay Sands' Sands LifeStyle rewards programme sees data security breach

The personal data of these individuals, consisting of names, email addresses, dates of birth, membership details relating to the rewards program, physical addresses and telephone numbers were exfiltrated in the incident.

Voluntary undertakings were implemented by the company which included enhanced security to its consumers’ data and other precautionary measures. 

Ascentis was appointed in September 2020 to help develop and render technical support for the platform. This included Starbucks’ online store, involving the sale and purchase of its products. Starbucks Singapore listed that one of the requirements for the website would be a data autofill, making the process more convenient for its users. 

This data was initially stored in a CRM database, which the developer had synchronised with the platform itself. Both databases were operated independently. 

There was an additional software development company, Kyanon Digital Co. Ltd, which was engaged by Ascentis in January 2021, to provide additional manpower, as well as to help out with the development of the website. Its employees were granted full administration access to the data, according to PDPC. 

Due to this, an ex-employee’s account to the data was not disabled even after his cessation. This resulted in the usage of the ex-employee’s account to access the data by an external third party, leading to the breach. 

Ascentis told the PDPC that it had no idea how the third party accessed the data. PDPC speculated in the judgement that it was through an external Google sheet used to store the exported data. 

The personal data of Starbucks’ customers was also put up for sale on a dark web forum. Starbucks Singapore notified the PDPC of the data breach in September 2022. 

MARKETING-INTERACTIVE has reached out to Starbucks Singapore for more information.

Starbucks Singapore is not the only brand that has been hit by data breaches recently. Singapore hotel group Marina Bay Sands (MBS) issued an email earlier in October to its Sands LifeStyle rewards programme members informing them of a "data security incident".

It explained that a third-party member obtained unauthorised access to the personal data of some members during the incident. 

Related articles: 
EPIC files FTC complaint against Grindr's data privacy practices
Competition watchdog reviews public opinion regarding possible breaches by foodpanda HK and Deliveroo HK
TikTok to be penalised for breaching the privacy of children in EU