13 Nov 2020 (Update)
Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.
We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.
We want to reassure you that we have further enhanced our security measures since September; taking the following steps:
- We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
- We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
- We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.
In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.
We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.
Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.
We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.
26 Sep 2020
We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.
As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.
To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.
You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.
We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.
While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.
We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.
FAQs In This Post
How do I close my account?
See this 'How To' link.
How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).
Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.
I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.