On October 14, a data breach on the online marketplace Carousell made the personal information of nearly 39% of all accounts, or 1.95 million users, public.
The Personal Data Protection Commission (PDPC) said in a statement released on Friday that it had “begun inquiries” into the event.
A Carousell spokesperson responded to queries. He said he had identified email addresses of users as a result of the breach; mobile numbers and dates of birth were also identified.
Carousell informed its users late Friday night.
A flaw was introduced when the company switched to a new system. It allows a third party to gain unauthorized access to their data.
The official said in response, “We’ve fixed the bug so that no one else can get to your personal information without your permission again.”
The platform’s top priority was to determine what caused the problem. When asked why the affected users didn’t know about the problem until a week after it happened, the representative explained.
We were not fully aware of the leak at the time of discovery. A spokesperson for Carousell told Singapore’s Personal Data Protection Commission about the breach on October 17.
He continued, “Letting them know is definitely the first priority.” It is to detect and close the vulnerability. Also, to determine the severity of this breach, Then, our experts spent further time reviewing the supplied material.
We immediately dispatched this notice. The official also said that Carousell had sent all affected users an email telling them to watch out for any phishing emails or SMSs and not to respond to any messages that ask for personal information like their passwords.
It also gave users peace of mind that their payment information and credit card numbers were safe.
The Singapore Cyber Security Agency also said it knew about the situation and had reached out to Carousell for help.
The firm spokesman said: “We advise consumers to stay alert and look out for indicators of phishing, such as any unexpected requests for information.”
Before they click on any links or download any attachments, they should make sure the request is real with
