30 Instarem users' details potentially revealed to other customers due to 'technical issue'

SINGAPORE: Cross-border payments company Instarem said on Thursday (May 15) that about 30 users’ personal details may have been revealed on Tuesday night to other customers.

In response to CNA’s queries, Instarem said on Wednesday that it was aware that a “limited number” of users had been affected by a “technical incident”. 

“Our team has taken immediate action to investigate the nature and scope of this incident, with our top priority being the security of our systems,” it added. 

In an update on Thursday, the company said about 30 customers' profiles may have been visible to other Instarem users who logged into their accounts between 9.14pm and 9.50pm on Tuesday. 

Instarem said it had experienced a "technical issue" during routine system updates, and the problem was "quickly identified and resolved".

"We can confirm that there were no unauthorised customer transactions or financial loss as a result of this incident," it added.

Based in Singapore, Instarem allows its users to make international transfers to more than 60 countries and offers a multi-currency travel card called amaze. 

According to its LinkedIn profile, it is licensed to operate in Singapore, Australia, Malaysia, Hong Kong, Indonesia, Japan, India, Europe, the United Kingdom, the United States and Canada. Its website says it has more than 1 million customers.

"UNEXPECTED BUG"

Two Instarem users told CNA that when they logged into their accounts on Tuesday night, they found details belonging to someone else instead. These included the user’s email address, phone number and latest transactions on Instarem. 

Both users said they received emails from the platform about a “technical issue” that occurred around 8.50pm. 

The company attributed the issue to an "unexpected bug" in its system, saying that some users may have "briefly seen partial user information" that is not from their account. According to the email, all systems returned to normal operations in 30 minutes. 

The two users told CNA they first experienced the issue at around 9.30pm. 

Ms Chua, who wanted to be known only by her last name, said she panicked when she saw another person's details on the platform. 

"I think I logged in and out around five times - still the same," she said. 

When she decided to start a chat with the platform's customer service, she realised a conversation had already begun, with multiple messages asking why they were logged into the account. This made her realise that several users were logged into the same account. 

When she logged back into her account around 10pm, she found that things were back to normal.

"They said they resolved the issue quickly within 30 minutes. But who knows within 30 minutes, what have you got out of it?" 

In its email, Instarem said users’ sensitive data, such as identification numbers, financial details or passwords, was not exposed or accessible. 

It told CNA on Thursday that it "acted quickly to contain the issue, secured impacted accounts, and implemented additional safeguards".

The company temporarily paused its service at 9.50pm on Tuesday to contain the issue until it was resolved by 10pm. 

"The service was fully available by 10.10pm," said Instarem. "We regret any inconvenience this may have caused to our customers." 

In an update on Thursday, the company said: "We are contacting and apologising to all affected customers as well as reassuring them that there have been no unauthorised transactions or financial loss."

The Personal Data Protection Commission (PDPC) told CNA on Wednesday that it is reaching out to Instarem for more information.

Instarem added it has since responded to the relevant authorities, including the PDPC and Monetary Authority of Singapore (MAS), and are "fully aligned" with the guidance provided.