At Flipster, we are dedicated to upholding the highest standards of security, transparency, and integrity in all aspects of our operations. Recent discussions within specific community groups have raised certain aspects of our operations, and we view this as an opportunity to address them clearly. We take these matters seriously and are continuously refining our policies and safeguards to ensure we maintain trust and confidence of our community.
1. Background
We would like to provide clarity on the situation concerning a former Client Servicing personnel, who handled KYC-related inquiries, who was let go recently due to work performance issues that did not meet the required standards.
Regretfully, since the departure, the individual has been disseminating the personal data of internal team members across multiple external channels platforms—an act that constitutes a clear breach of data protection laws. The unauthorized use or distribution of personal information is a serious violation of legal and ethical standards. In addition, the individual accessed certain customer email addresses without proper authorization and made inaccurate claims, further aggravating the situation through these unethical actions. We have already taken appropriate measures to address and resolve this matter. Given recent developments, we felt it was the right time to provide clarity and reassurance to all stakeholders.
Our priority remains the protection of our employees and customers, as well as upholding the standards of our work environment. We remain committed to ensuring full compliance with all applicable data protection regulations, both locally and internationally.
2. Addressing Specific Issues Raised
In response to various claims made by the former personnel, we would like to address the following concerns:
2.1. Human Resources Concerns
- Compensation & Outstanding Company Property: There have been claims regarding the non-receipt of final monthly payment by this individual. In accordance with company policy, final monthly payment disbursement was pending due to the failure to return company property. Once resolved, appropriate payments will be processed.
- Overtime Pay: Claims regarding unpaid overtime have also resurfaced. We have reviewed internal records, and there is no evidence supporting unpaid, eligible overtime work.
- Workplace Conduct: We acknowledge that a manager’s language towards the individual was not aligned with our workplace standards. The issue was addressed internally at that time, and the manager received a warning. Moving forward, we are reinforcing respectful workplace practices through additional training and oversight.
Ensuring Transparency through Independent Review
To ensure transparency and fairness, we have engaged an independent third-party firm specialising in HR issues to conduct an impartial review of the situation. We are committed to implementing any necessary corrective actions based on finding to maintain our high standards and drive continuous improvement.
2.2. The 2023 KYC Image Sharing Incident
A previous incident relating to internal data handling has been raised. We acknowledge that, over a year ago, an internal KYC-related image was improperly shared within a team communication channel. This was unacceptable and a clear lapse in internal procedures, and we have taken appropriate measures, such as reaching out to the affected user and taking internal measures regarding those involved.
Steps taken to prevent future incidents:
- Immediate revision of policies to strictly regulate how KYC data is accessed and shared internally.
- Comprehensive training to reinforce responsible data handling.
- Strengthened internal monitoring and auditing of data access to prevent any recurrence.
This incident occurred before the individual raising concerns joined Flipster, and it has since been fully addressed.
2.3. Customer Data and KYC Handling
While there has been no breach of our security systems, a former Client Servicing personnel retained and misused customer data beyond authorized access. During their tenure, they had legitimate access to certain user data as part of their role. However, they failed to comply with data handling protocols upon departure and refused to delete the information they had stored.
Measures to mitigate insider risks:
- Immediate termination of unauthorized access upon departure.
- Strengthened access control to limit data visibility even for authorized employees.
- Legal action initiated against the individual for misuse of company data.
Technical measures in place:
- Stricter Role-Based Access Controls: Further restrictions on data access, ensuring it is limited to an even smaller number of essential personnel.
- Enhanced Privacy Measures: Strengthened safeguards to protect sensitive information.
- Screen and Print Restrictions: Additional controls to prevent unauthorized screenshots and printing.
- Enhanced Monitoring and Anomaly Detection: Strengthened oversight of employee access to customer data, with proactive detection of unusual activity.
Security update:
We are continuing our investigations into the incident, and taking all necessary steps to address the situation. At present, we are able to ascertain the following:
- A small group of VIP user email addresses may have been compromised. Where we have reason to believe that your email address has been compromised, we will notify you within 48 hours of this announcement. In some cases, you may have already received a notification from us.
- Certain internal company communications related to customer support inquiries may have been compromised.
- A limited number of employees’ personal data have been affected.
Our investigations are ongoing, and we are committed to providing relevant updates as we continue to assess the situation.
3. Our Commitment to Security and Data Protection
Security remains our highest priority. We have implemented robust measures to safeguard user data, prevent unauthorized access, and mitigate risks. Our approach is proactive, grounded in internationally recognized standards, and continuously evolving to stay ahead of emerging threats.
3.1. A Secure and Resilient System
Protecting User Funds and Data
We adhere to rigorous security frameworks, ensuring a strong foundation for our operations
- ISO 27001 Certified: We maintain ISO 27001 certification, underscoring our commitment to a robust information security management system.
- Security-First Platform Design: Our systems are built with security-by-design principles, incorporating coding practices from the ground up
Wallet and Key Management
We take a prudent and layered approach to securing users assets.
- MPC-Based Cold Wallet Security: Our cold wallets are protected by Fireblocks' Multi-Party Computation (MPC) technology, with physically distributed signers and backups enhancing resilience.
- Hot and Cold Wallet Segregation: The majority of assets are stored securely in cold wallets, providing additional protection against cyber threats.
- Strict Security Controls: Hot wallets are safeguarded with stringent security protocols, ensuring that customer keys remain inaccessible to system administrators.
Encryption and Access Controls
We implement robust measures to protect sensitive data and critical systems.
- End-to-End Data Encryption: All customer data is encrypted, adding an additional layer of protection against unauthorized access.
- Multi-Layered Access Control: Access to critical systems, including hot wallets, is tightly controlled to minimize risks.
- KYC and AML Compliance: We adhere to stringent KYC and AML regulations, ensuring continuous monitoring to detect and prevent fraudulent activities.
3.2. Proactive Defense Against Hacking and Threats
Advanced Threat Prevention
Our security framework is designed to anticipate and mitigate risks before they materialize.
- Continuous Monitoring and Incident Response: Our systems undergo 24/7 monitoring, allowing for real-time threat detection and swift incident response to any anomalies or potential security breaches.
- Regular Security Audits: We conduct annual third-party penetration testing and security assessments, complemented by routine internal audits
- Industry-leading Threat Detection: Our defenses are supported by best-in-class security solutions for real-time monitoring and threat intelligence.
Resilience Against Attacks
We maintain a robust security posture to protect our platform’s stability.
- 24/7 DDoS and Web Attack Protection: Our infrastructure is built to detect and mitigate large-scale attacks, ensuring uninterrupted service.
- Bug Bounty Program (Launching in Q2 2025): As part of our ongoing security enhancements, we plan to launch a Bug Bounty Program, inviting security researchers to help strengthen our platform. Participants will be rewarded for valid discoveries, reinforcing our security measures.
4. Clarifications on User Concerns
1. Has Flipster experienced a security breach?
No. Our security systems remain intact. However, a former employee retained and misused certain data beyond their authorized access. Upon discovery, we immediately took legal action and reinforced our safeguards to prevent similar incidents in the future.
2. Is my data secure with Flipster?
Yes. We have taken significant steps to strengthen data security, including encryption, restricted access, and continuous monitoring. Any improper data handling in the past has been fully addressed with stricter safeguards.
3. Is Flipster financially stable?
Yes. Flipster remains well-capitalized and operates from a position of financial strength. We continue to meet all operational requirements and ensure user assets remain secure.
4. Was the increased withdrawal activity on March 13 fully handled without any issues?
Yes, all transactions on March 13 were processed as usual, with no disruptions. Our systems operated smoothly throughout, and all user assets—which are fully-backed 1:1 at all times—remain secure. We continue to ensure a seamless experience for our users, regardless of transaction volume.
5. Commitment to Our Users
We deeply value the trust of our users and will always act with integrity and accountability. Moving forward, we will continue to:
- Strengthen our security infrastructure to stay ahead of threats.
- Ensure transparency in how we handle sensitive matters.
- Review and refine our policies to uphold the safety and confidence of our users.
If you have any concerns, we encourage you to reach out to us directly through our official channels.
Thank you for your continued trust in Flipster.