DATA BREACH:
People reported falling victim to fraud on Shopee and Carousell that involved scam groups stealing data or convincing people to send them money

Shopee and Carousell, two online marketplaces based in Singapore, were the consumer-to-consumer (C2C) platforms on which people in Taiwan were most likely to fall victim to phishing scams over the past five weeks, the Criminal Investigation Bureau said on Sunday last week.

Information reported by the public on the 165 anti-fraud hotline showed that hackers have recently conducted phishing attacks on C2C online auction platforms such as Shopee and Carousell.

The attacks were aimed at stealing personal or business information provided by customers to carry out online transactions, with the information then used to conduct scams such as canceling installment payment setups, the bureau said.

Photo courtesy of Shoppee Taiwan Co Ltd

As Shopee and Carousell are owned by companies in Singapore, they have only a small staff presence in Taiwan, and there are no professional information security teams to assist people in protecting their accounts and passwords after being hacked.

The two online platforms have been referred to the Ministry of Digital Affairs for investigation on suspicion of contravening the Personal Data Protection Act (個人資料保護法).

The ministry conducted inspections of the two entities in December last year, and asked both platforms to make improvements, but no concrete action was taken, the bureau said.

Due to the high number of personal data breaches on major online shopping platforms in recent years, the bureau regularly releases a list of e-commerce platforms on which customers are at risk of fraud.

Fraud groups tend to use hackers to steal transaction data — purchase time, product name, amount and payment method — and pose as customer service representatives of the related companies to trick shoppers into transferring money to them online or through an ATM, the bureau said.

From June last year to last month, the bureau has sent notifications related to about 100 e-commerce companies suspected of leaking customers’ personal data to seven ministries, including the Ministry of Digital Affairs, the Ministry of Health and Welfare, the Ministry of Education, the Ministry of Economic Affairs and the Ministry of Culture, it said.

However, only about 10 percent of those e-commerce companies were inspected and required to make improvements, it said.

There is no record of any punishments in the past year, it added.

The number of fraud cases related to the cancelation of installment payment agreements caused by personal information leaks reached nearly 1,000 in just two months, and financial losses have exceeded NT$100 million (US$3.27 million), it said.