Customer Notice FAQs

Last updated 7th Dec 2020

Dear ShopBack Customer,

 

As of last week, we have invalidated unchanged passwords, completed a forced logout and requested that you change to a new password, as an additional measure to protect your account.

 

As a reminder, we strongly suggest that you do not use the same password across different sites. Separately if you used your previous password on multiple sites, you change this password immediately.

 

Meanwhile, we continue to cooperate with the Personal Data Protection Commission.

 

We thank you for your continued support and we will continue to release further updates. Please reach out to help@shopback.my if you have additional questions.

 

 

Last updated 13th November 2020

 

Dear ShopBack Customer,

 

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

 

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your Cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems

 

We want to reassure you that we have further enhanced our security measures since September; by taking the following steps:

1. We have verified the removal of unauthorised access and ensured that our systems are now in line with the intended configurations.
2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor suspicious activity across all our systems.

 

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Personal Data Protection Commission.

We thank you for your continued support and we will continue to release further updates. Please reach out to help@shopback.my if we can help out at all.

 

Last updated 25 September 2020

 

On 17 September 2020, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We immediately removed the unauthorised access and engaged leading cyber security specialists to assess the extent of the incident and further enhance our security measures. 

We have notified our customers as well as the Personal Data Protection Commissioner of the incident.

 

What is the extent of the incident?

We are currently confirming which data has been compromised. 

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your Cashback is safe, and that your ShopBack account password is protected by encryption. 

 

Apart from your email addresses (or alternative login IDs) and limited transactional information, ShopBack does not require you to provide information to us that is not related to our specific services or campaigns.  As a result, we do not have additional data that you had not provided directly to us. Types of data that you may have provided to us could include your:

1. Name
2. Contact Information
3. Gender
4. Date of Birth
5. Identification numbers (for customers involved in the Plus! Loyalty Programme campaign which ran from 3 November 2014 to 15 January 2016)
6. Bank account numbers (for customers who cash out to their bank accounts)

While bank account numbers do not permit third parties direct access to your bank accounts, users who have provided us with their bank account numbers should be watchful for potential phishing attacks.

This incident has not affected your Cashback balances in your ShopBack account. You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

 

What actions are we taking? 

Our priority is the protection of your information and we are doing all that we can to minimize the risk of a similar incident occurring again. Since we became aware of the incident, we have --

  • Immediately removed the unauthorized access.
  • Notified our customers of this incident and will continue to provide updates over the course of the investigation on this page.
  • Engaged external security specialists to identify and plug immediate vulnerabilities, support ongoing investigations, and fortify our security infrastructure. For example, we have validated our security plan with both internal security and external auditors and implemented additional authentication processes for all employees.
  • Tightened monitoring of internal logs to ensure heightened detection of unauthorised access if any were to occur.

 

What can I do next?

Change your password:  Your existing passwords are protected by encryption. As a further security measure, we still encourage you to reset your password via this link (https://shopback.my/forgot?b=1) and to further protect your account by adding your mobile number if you have not already done so. As an added precautionary measure, the same password should not be used across different sites.

 

Report suspicious emails If you receive emails that you believe are suspicious, do not click on them, do not respond, and if possible, flag these with your email provider

 

Stay vigilant and beware of phishing and other scams. You may also refer to https://www.nacsa.gov.my/ (operated by the National Cyber Security Agency), which has further helpful advice on how to avoid scams.

 

Contact us via help@shopback.my if you encounter any suspicious activity on your ShopBack account or if you have any questions. 

 

Is it safe to use ShopBack?

This incident has not affected your Cashback balances in your ShopBack account. You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers are of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

 

Was this article helpful?
33 out of 123 found this helpful

Search more articles