PDPC fines RedDoorz SG's site operator over data leak of 5.9m consumers

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

The Personal Data Protection Commission has issued a SG$74,000 fine to Commeasure, RedDoor Singapore's website operator, for failing to put in place reasonable security arrangements to prevent the "unauthorised access and exfiltration of customers’ personal data" hosted in a cloud database. In September last year, the hotel booking and management platform had suffered a breach in one of its IT databases containing customers' details. According to CNA, the breach saw a data leak of close to 5.9 million customers - 9,000 of whom are Singaporeans.

The commission said in a statement that while this was the largest data breach that has occurred since the Personal Data Protection Act came into effect, the fine was much lower compared to preceding cases after considering the hardship upon the hospitality sector caused by the pandemic. The commission was notified of the breach on 25 September 2020. According to CNA, Commeasure found out about the breach on 19 September 2020, after an American cyber-security firm alerted the company. The data included names, email addresses, phone numbers, addresses, and booking details. The commission added that the hackers did not gain access or download the customers’ masked credit card numbers.

RedDoorz Singapore had then sent an email to its customers on 26 September 2020, detailing the data leak, advising its customers to change their passwords as an added precaution, and not to use the same password on other digital platforms, CNA reported.

According to The Business Times (BT), the user records were advertised for sale on hacker forums between September and October 2020, and were later removed. BT also reported that all of RedDoorz's customers were from Southeast Asia, and most of the compromised data came from its largest market, Indonesia.

The commission said that the hackers had accessed RedDoorz's database, hosted on an Amazon cloud database, after getting an Amazon Web Services access key. The access key was embedded in an Android application package (APK) created by Commeasure in 2015, which is used to install the RedDoorz app.

The problem arose when Commeasure had mislabeled the access key as a "test key", in addition to ignoring Amazon Web Service’s advice to not embed access keys directly into code. Hence, the company had been treating the APK as "defunct" and was left out when it hired a cyber-security company to conduct a security review and security tests. A security tool that could have prevented the hackers from getting the access key was also not used since it was considered defunct. Had Commeasure examined this APK or the access key, the data breach could have been prevented, the commission said. The IT security reviews conducted by Commeasure did not meet standards under the law as well.

In October last year, the Singapore government proposed to issue a fine of up to 10% of a company’s annual turnover in Singapore, or SG$1 million - whichever is higher - should a company be found guilty of a data breach. This came following a slew of data breaches in addition to RedDoorz, such as ShopBack, Razer, and Shopify. The local government also had several lapses of data breaches in 2019, including the leak of over 800,000 blood donors' personal particulars due to mishandling of data by a vendor of the Health Sciences Authority. Previously, the maximum fine for a data breach under the Personal Data Protection Act, which came into force in 2013, was SG$1 million.

Join our Digital Marketing Asia conference happening from 9 November 2021 - 25 November 2021 to learn about the upcoming trends and technologies in the world of digital. Check out the agenda here.

Photo courtesy: 123RF

share on