SINGAPORE - The hacker who stole Cortina Watch’s data by illegally accessing one of its servers has carried out a threat to release the information online, including customers’ contacts and addresses.

Checks by The Straits Times found that more than 7GB of data, including details of customers, vendors, staff and the public-listed group’s operations, were uploaded on a file-sharing site late on Thursday. The data dump included usernames and passwords for company and staff accounts, with numerous administrator accounts sharing the same password.

Information leaked on the dark web also included customer data such as contact information, home addresses and birth dates. The firm’s inventory of watches, sales orders and sales tactics were also uploaded. Some documents appeared to show how certain luxury watches were priced.

In one spreadsheet titled “repeat and moving slow stock”, a list of watches included a column for “cost”, which had entries in the form of percentages. Several of the entries were below 23 per cent, right next to a column with the header “RSP”, believed to stand for retail sale price.

Another spreadsheet contained a list of several watch models with different prices listed for “retail”, “walk in” and “regular”. One entry listed retail as $48,130, walk in as $75,000, and regular as $73,000.

A file containing sales tactics appeared to explain how salespersons should introduce certain luxury brands during a conversation with customers, and how to convince them to buy using details about the brand’s heritage.

They were also instructed to provide discounts of up to 10 per cent for certain customers and charge a higher price for walk-ins.

The names of at least 12 Malaysian datuks were also part of a customer list from 2021.

Cortina had detected unauthorised activity on one of its servers on Sunday. A hacker who went by the username Bassterlord claimed responsibility for the breach in a tweet the same day. He is reportedly a man in his 20s from Ukraine who heads a hacker group called the National Hazard Agency.

He demanded US$50,000 (S$67,000) to either destroy or return all the data, and gave Cortina a deadline of 6pm on Thursday to negotiate payment.

ST reported on the hack on Monday, and Cortina issued a public statement acknowledging the breach through a filing on the Singapore Exchange on Tuesday.

On Wednesday, Mr Jeremy Lim, the chief executive officer of Cortina Watch, told ST that the company took immediate steps to “identify, contain and address the potential attack on the server” after the breach. Its website has been down since Monday.

Bassterlord claimed in tweets that he had contacted Cortina at least four times over payment, but did not get a reply. After the deadline, he leaked the data on the dark web.

The incident has been reported to the police and the Personal Data Protection Commission (PDPC), which reached out to the firm for more information. The Cyber Security Agency contacted the company to offer assistance. Cortina has also notified all parties whose data was affected by the breach.

Cortina Watch was founded in 1972 as a small shop in Colombo Court, in North Bridge Road, by group executive chairman Anthony Lim. It has since expanded to more than 40 stores across Asia.

According to its annual report, the group’s total revenue grew 64.1 per cent to $716.9 million in 2022, with a net profit of $73.8 million.

The retailer carries more than 50 luxury brands, including Rolex and Patek Philippe.

More at https://www.straitstimes.com/singapore/hacker-leaks-cortina-watch-s-data-online-including-customer-details-and-sales-tactics