The breach came to light in September last year after the personal data of 332,774 Starbucks Singapore customers was sold on a dark web forum. Information such as contact details and account membership information such as names, physical addresses, email addresses, telephone numbers and birth dates were put up for sale. The data collected from those who signed up for the My Starbucks Rewards loyalty programme was stored on a cloud database.
The PDPC said that it recognised that Ascentis cooperated with investigations, took prompt remedial actions, did not previously breach the Personal Data Protection Act, and voluntarily accepted responsibility for the incident. It also added that it was satisfied the data breach could not be directly attributed to Starbucks Singapore since internal lapses by Ascentis had caused the breach.