On 14 May 2021, Carousell Pte. Ltd. (“Carousell”) informed the Personal Data Protection Commission (“the Commission”) about an incident of unauthorized access to its users’ accounts due to a “credential stuffing” attack. Credential stuffing refers to a type of cyberattack where a cybercriminal accesses user accounts from one organisation using the usernames and passwords stolen from another organisation. 

Carousell was alerted to this issue due to reports by 2 users of Carousell. First, on 26 April 2021, a user reported that their account was being hijacked and used to make unauthorised purchases. Later on 1 June 2021, Carousell was alerted to another incident alert involving the same modus operandi, which had successfully made unauthorised purchases. 

The hacker(s) obtained the login and password details from an exposure of such details on another service provider’s platform (not Carousell). Since these users had used the same username and password on their Carousell accounts, the cybercriminal was able to infiltrate their accounts and make the necessary changes to their account settings to perform unauthorised purchases. 

Carousell investigated the matter immediately and found that there was no compromise of personal data from Carousell’s own databases. 

Further, at the time of the incident, Carousell had placed security arrangements including:

• Informing users when there is a change to their passwords, emails, or phone numbers linked to their account or when they logged in through a new device;

• Training its staff to identify and investigate likely account takeovers;

• Ensuring that card transaction that meet a certain fraud score are blocked and/or reviewed;

• Ensuring that a One Time Password (OTP) is required to complete transactions for made through card payments;

• Regular reviewing policies and regular testing and reviewing risk rules based on fraud trends, seasonality, regulation and all related indicators;

• Providing company-wide training and educational newsletters to increase staff awareness on security and data protection requirements; and

• Conducting annual penetration security assessments.

The Commission took the stance that Carousell had adopted reasonable standards for protecting personal data in its customer accounts and had also taken prompt action to alleviate the unfortunate effects of the data breach. 

The Commission also acknowledged that Carousell has reviewed the incident and has taken adequate remedial actions to strengthen its security measures, including blocking suspicious IP addresses, adding rules into existing third party fraud detection tools to prevent further instances of credential stuffing, implementing a mandatory two-factor-authentication verification via email when a user logs in from a different device, and advising users as to how to ensure improved cybersecurity on its platform and raising awareness against phishing attempts.

In the circumstances, the Commission concluded that Carousell did not breach data protection obligations under the Personal Data Protection Act and no directions were issued against it.