SINGAPORE: The account details of some Instarem users were revealed on other customers’ apps on Tuesday (May 13) night, in what the cross-border payments company described as a “technical incident”.
In response to CNA’s queries, Instarem said on Wednesday that it was aware that a “limited number” of users had been affected by a “technical incident”.
“Our team has taken immediate action to investigate the nature and scope of this incident, with our top priority being the security of our systems,” it added.
Based in Singapore, Instarem allows its users to make international transfers to more than 60 countries and offers a multi-currency travel card called amaze.
According to its LinkedIn profile, it is licensed to operate in Singapore, Australia, Malaysia, Hong Kong, Indonesia, Japan, India, Europe, the United Kingdom, the United States and Canada. Its website says it has more than 1 million customers.
Two Instarem users told CNA that when they logged into their accounts on Tuesday night, they found details belonging to someone else instead.
These included the user’s email address, phone number and latest transactions on Instarem.
Both users said they received emails from the platform about a “technical issue” that occurred around 8.50pm.
The company attributed the issue to an “unexpected bug” in its system, saying that some users may have “briefly seen partial user information” that is not from their account.
According to the email, all systems returned to normal operations in 30 minutes.
Both users told CNA they first experienced the issue at around 9.30pm.
Ms Chua, who wanted to be known only by her last name, said she panicked when she saw another person’s details on the platform.
“I think I logged in and out around five times – still the same,” she said.
When she decided to start a chat with the platform’s customer service, she realised a conversation had already begun, with multiple messages asking why they were logged into the account. This made her realise that several users were logged into the same account.
When she logged back into her account around 10pm, she found that things were back to normal.
“They said they resolved the issue quickly within 30 minutes. But who knows within 30 minutes, what have you got out of it?”
In its email, Instarem said users’ sensitive data, such as identification numbers, financial details or passwords, was not exposed or accessible.
“Our security and engineering teams are conducting a full root cause analysis and implementing additional safeguards to prevent such incidents in the future,” it added.
“We deeply value the trust you place in us, and we take the responsibility of protecting your information extremely seriously. We apologise for any confusion or concern this may have caused.”
The Personal Data Protection Commission told CNA it is reaching out to Instarem for more information.
Instarem told CNA it would provide a further update on the incident by 4pm on Wednesday.
