Instarem had a major privacy incident last night in which user data โ including full names, email addresses, transaction history and even Amaze card details โ was made visible to other users via the Instarem app and website.
As expected, Instarem is trying to downplay the issue, but this is an extraordinary breach that is going to significantly undermine customer confidence. Something went very wrong yesterday, and there are serious questions to be answered.
| ๐ฌ Instaremโs Response |
|
Q1. What caused the incident? What remedial action is Instarem taking to prevent this from happening again? Answer:
In addition, we have since written to the impacted customers and explained what happened. We are also in full co-operation with the relevant authorities, including the PDPC and Monetary Authority of Singapore (MAS). Nium is committed and continue to maintain industry-standard safeguards to protect customer information, including real-time monitoring, strong encryption protocols, and layered security controls, attested by certifications like ISO 27001, PCI DSS, SOC 2 Type 2. Q2: What data was visible? Answer:
Q3. Why were there 2 emails sent to customers?
Answer: The first communication was sent promptly to customers who had logged in during the affected period and might have viewed other customerโs info. At that point, there was no indication that their sensitive informationโ such as identification numbers, financial details, or passwords โ had been visible or disclosed to other parties. We wanted to explain to this group of customers why they were able to view other customerโs information. As an additional precaution, we sent the second email to a small number of amaze users who may have had their cards visible (at that time, we did not know the full impact, which later turned out to be only 2 users). We temporarily blocked their cards, and recommended replacements to ensure continued protection, even though tokenization and other security measures remained in place. In addition, after ascertaining the impacted customers, we have since written to the impacted customers whose sensitive information might have been disclosed. We explained what happened and sincerely apologise to this group of customers. |
What happened?
Last night, Instarem customers reported that they were seeing the details of other users in their Instarem app, including:
- Full name
- Email address
- Mobile number
- Transaction history
- Recipients
- Last 4 digits of linked cards
- Amaze Card details
Based on reports in the MileChat, there were multiple users whose data was exposed, across different countries including Singapore. Many people found themselves logged in to the same account, as seen from this screenshot of a support chat where multiple people were sending messages from the same account.
The incident was finally resolved around 10 p.m, when regular functionality was restored and users were logged back into their proper accounts.
But of course, this breach has raised some major concernsโ if I could see someone elseโs data (including their Amaze card details!), could someone else have been viewing mine?
Instaremโs response
Instarem sent out the following email to customers last night acknowledging the issue and promising an investigation.
| ๐ฌ Message from Instarem |
|
We are reaching out to inform you about a recent technical issue that occurred on 13 May, around 8:50 pm SGT and to reassure you that your customer data has not been compromised. Due to an unexpected bug in our system, a limited number of users may have briefly seen partial user information not related to their account. Our internal teams acted immediately to identify and resolve the issue, which has now been fully fixed. We want to assure you of the following:
We deeply value the trust you place in us, and we take the responsibility of protecting your information extremely seriously. We apologise for any confusion or concern this may have caused. If you have any questions, please donโt hesitate to reach out to us at Help Centre. Thank you for your understanding and continued support. |
Now, I donโt know about you, but I have issues with how Instarem is characterising the breach.
First, thereโs the timeline. Instarem says the issue began at 8.50 p.m SGT and was resolved within 30 minutes. However, multiple reports of users seeing other peopleโs data were still coming in close to 10 p.m. That suggests the actual โexposure timeโ may have been longer than Instarem is willing to admit.
Second, Instarem claims that โa limited number of usersโ saw unrelated customer data. Really? The MileChat was flooded with similar reports, as were other Telegram communities and Reddit. Even my father, currently in France, sent me a panicked message saying that his account had been hacked and he was seeing the details of some Portuguese guy in his app.
That doesnโt feel limited to me, and perhaps Instarem is trying to play with semantics by saying โyes, everyone could have seen it in theory, but since the incident was resolved relatively quickly, only a limited number of users actually didโ.
Third, Instarem says no sensitive data was exposed, which is hard to believe given what people reported seeing. Beyond full access to Amaze card details (including expiry dates and CVV codes), there was certainly enough information here to potentially answer security questions for banks and other financial institutions.
Unless this all turns out to be dummy data from test accounts (and if that were the case, I suspect Instarem would have already come out and said so), then I donโt understand how this isnโt considered sensitive. It could be another case of word games, as Instarem explicitly mentions identification numbers, financial details, and passwords as examples of sensitive data โ all of which arenโt stored in the app anyway (though wouldnโt Amaze Card details be considered financial details?).
Of course, I want to acknowledge that the email says โyourโ customer data has not been compromised, and not โnoโ customer data has been compromised. There is a possibility that Instarem is sending this particular email to accounts it has verified were not compromised during yesterdayโs incident, while those which were are getting a different email.
This might be the case, because thereโs a second email circulating to certain customers, informing them their Amaze Card has been blocked and asking them to request a replacement.
| ๐ฌ Message from Instarem |
|
At Instarem, we take the security and privacy of your personal information very seriously. Following a brief technical issue on 13 May that might have compromised your card details, we have temporarily blocked your amaze card to ensure the safety of your account. While the issue is now fully resolved, we strongly recommend that you request a card replacement via your app as a precautionary measure. This will help strengthen the protection of your account and give you peace of mind. If you have any questions or need assistance, please donโt hesitate to contact us through our Help Centre โ weโre here to help. Thank you for your understanding. |
Ironically, this customer also reported receiving the first email, which is absurd to say the least. On the one hand, your sensitive data (including financial details) wasnโt compromised, on the other, your Amaze Card has been compromised!
What about my linked cards?
Since Amaze is a passthrough that is linked to various credit and debit cards, any concerns about Amaze will naturally raise concerns about the linked cards as well.
I donโt think you need to be worried about this, however, because the Instarem app does not store the details of your linked cards beyond the last four digits. Itโs impossible to reverse engineer them from the app too.
I mean, if it helps you sleep better at night, by all means go request a replacement, but I personally donโt see the need to do so.
Conclusion
Instarem experienced a major incident last night that exposed user data โ including mobile numbers, email addresses, and Amaze card details โ to the public. This is a serious breach, and one that deserves attention from both the mainstream media and relevant authorities.
In the meantime, the company has some pressing questions to answer: How did this happen? What steps is it taking to make sure it never happens again? And how can users trust it to protect their data going forward?
Iโve reached out to Instarem with some questions, and will update this post when I receive a reply.
I did not receive any email from Instarem. Should I be concerned?
hello check your junk email
Same
Same for me. No email or app notification from Instarem. Not in Junk or Spam folder either. That good or bad news?
same here, no email
lol Iโve had multiple fraudulent transactions from my amaze card over the years. had to get my card replaced each time. stuck with it for the 4mpd. now i know whyโฆ
So are we supposed to request a replacement card even never received the second email?
Instarem (and their parent company Nium) recently went through yet another round of layoffs. Perhaps the team has dwindled and there are no resources to fix bugs popping up left and right.
I heard their CTO also left(or was asked to leave), they hire top level management, then have a round of layoff where they fire low level people, and then they fire the top management also. which is quite funny
I have asked for a replacement Amaze card.
Anyway nowadays rarely use this except during overseas trip to get better exchange rate with 4mpd on CRMC
Their exchange rates when using a credit card is getting worse. JPY was 113 last night but only got 109, making it a 3.5% spread. Fortunately, it was only a small amount.
Havenโt received either emails..
Such a huge fuck up by Instarem. 2 years ago I already had fraudulent transactions on my card, and they did not refund anything.
This can happen to any institution but since I base my financial decisions on security, I always choose a major bank that would face huge penalties from regulatory bodies and widespread public recrimination. Points are not essential, just a nice perk. MAS-regulated full banks for all cards and accounts. Iโd ignore the inducements or lower fees from others (e.g. Amaze, Chocolate, only-online brokerages), which are marginal when considering the big picture for major spending, investment decisions or overall financial health.
lol amateur hour from Instarem. They have no idea/donโt have the right people to do a standard crisis management. Huge reputation hit once mainstream media picks up on this. What we have: Emails seemingly only to select users (I donโt have any emails from Instarem. In fact, I got a spam mail promoting their currency transfers). This means users like myself found out from this website. Not a good look. No timeline on RCA. No mention of sending RCA to clients. No idea what their actions will be from this incident. No idea if this will happen again. โRecommendingโ clientsโฆ Read more ยป
While bad, you need to take personal responsibility for security. That is easy to do. Keep the online button toggled off, except for the few seconds when you are doing a transaction. Unless you are overseas keep the Overseas transactions button toggled off. And if you want to go even further lock the card โ a pain if you are using it frequently, but certainly an option if not used often. Does not take long to unlock, do a transaction, and then lock again.
My Instarem Card is always locked until I want to use it. But it has become really rare to do so these days.
Can actually lodge a complaint with PDPC for such a major data breach if the company isnโt addressing this.
exactly. the fact that they are downplaying the impact is so that PDPC does not go after them.
Use this form: https://go.gov.sg/pdpc-feedback
I am not affected as I donโt use these services. My heart goes out to those who are affected.