PDPC Fined Company $74K for Largest Data Breach in S’pore

With so much of our personal data online these days, it’s more important than ever to keep this information safe, out of the reach of hackers.

After all, if hackers get a hold of such information, they could profit from it by selling it on the black market.

That’s why the authorities take data breaches seriously, and will punish those who don’t take the necessary safety measures to prevent leaks.

Company Fined $74K for Largest Data Breach in S’pore

Commeasure, which operates the hotel booking site RedDoorz, has been fined $74,000 after the personal data of nearly 5.9 million Singaporean and South-east Asian customers was leaked last year.

It is Singapore’s largest data breach to date.

The leaked information included RedDoorz’ customers’ names, contact numbers, e-mail addresses, date of birth, as well as encrypted passwords to customers’ RedDoorz account and booking information.

Hackers can sell this information online, or use it to impersonate victims and take control of their online accounts. Indeed, the stolen data was put up for sale on a hacker forum but was later taken down.

Fortunately, no credit card numbers were leaked in the breach.

Around 9,000 of the affected customers are from Singapore, but most of the stolen data came from Indonesia.

It was only when an American cyber-security firm alerted the company last September that Commeasure became aware of the breach.

Lapses

The fine was issued by the Personal Data Protection Commission (PDPC), which serves as Singapore’s main authority in matters relating to personal data protection.

The fine doled out was lower than some had expected, but PDCP explained that it was because of the difficulties the tourism sector has faced throughout the pandemic.

“In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the COVID-19 pandemic,” it said.

Among the lapses discovered by the PDPC was the IT security reviews conducted by Commeasure, which PDPC felt was not sufficiently rigorous.

Commeasure also embedded Amazon Web Services’ access key in their Android application package (APK) – which is used to install apps – against the advice of Amazon Web Services.

The company had last updated the APK in 2018, after which it was regarded as defunct. This meant that the APK wasn’t checked during Commeasure’s security review.

What’s more, there should have been a security tool in the APK to prevent data breaches, but this was missing due to its “defunct” status.

In 2018, the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong, was leaked. Those implicated were fined a combined $1 million.

Read Also:

Featured Image: Rawpixel.com/ Shutterstock.com