1-6-2023 (SINGAPORE) In a concerning development, hackers have recently made public a database containing personal information belonging to more than 40,000 customers of local jewellery chain Goldheart. The leaked database, which emerged on various hacking forums and the Dark Web around May 20, appears to include the records of individuals who signed up for an online account with Goldheart between 2015 and 2022.
Upon investigation by The Straits Times, it was discovered that the compromised database contains a wealth of sensitive information, including names, addresses, phone numbers, email addresses, and users’ dates of birth. Remarkably, every entry within the database, numbering over 40,000, contained email addresses and birth dates.
The hackers behind the leak claimed that the database held the details of approximately 42,000 Goldheart customers. However, The Straits Times determined that fewer than 4,000 entries included phone numbers and addresses. Additionally, several hundred entries were suspected to be fraudulent, containing spam messages instead of genuine customer information.
In response to inquiries, the Personal Data Protection Commission (PDPC) confirmed its awareness of the case and expressed its intention to investigate the matter. A PDPC spokesperson stated, “PDPC is aware of the case. We have reached out to Goldheart for more information and will be investigating.”
Goldheart operates as a subsidiary of Aspial, a prominent jewellery retailer that also owns Lee Hwa Jewellery and pawnbroker Maxi-Cash. With over 20 boutiques, Goldheart is recognized as one of the largest local jewellery chains in the region, as indicated on its Facebook page.
This incident follows a series of cybersecurity breaches in Singapore. Earlier this month, the PDPC instructed the Law Society to address security vulnerabilities following a ransomware attack that compromised the personal information of 16,009 members in 2021. The PDPC investigation uncovered poor password practices, including the usage of “Welcome2020lawsoc” as the password for an IT administrator account.
Furthermore, FortyTwo, an online furniture store, was fined S$8,000 by the PDPC for a data breach in 2021 that exposed personal details of 6,339 customers, including credit card information of 98 individuals. Another judgment involved Kingsforce Management Services, which failed to protect the personal data of 54,900 job seekers after its database was compromised and sold on a hacking forum in December 2021. Cybersecurity experts identified outdated website coding technology as the root cause, leading the PDPC to order the company to implement regular patching, updates, and upgrades for all software and firmware supporting its website and application.
