SINGAPORE – The personal data of nearly 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz has been leaked, in what is Singapore’s largest data breach.
The Personal Data Protection Commission (PDPC) has fined local firm Commeasure, which operates the website, $74,000.
This is much lower than the combined $1 million fine for the 2018 SingHealth data breach which affected 1.5 million people as the commission said it had considered hardship on the sector caused by the Covid-19 pandemic.
“In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic,” said the PDPC in a judgment issued last Thursday (Nov 11).
The maximum fine for a data breach is $1 million now under the Personal Data Protection Act which came into effect in 2013.
But firms can soon be fined more – up to 10 per cent of their annual turnover in Singapore, or $1 million, whichever is higher. The higher fine is slated to take effect at least 12 months from Feb 1 this year.
The affected data in the Commeasure incident included the customer’s name, contact number, e-mail address, date of birth, encrypted password for accessing a customer’s RedDoorz account and booking information.
The hackers did not access or download customers’ masked credit card numbers.
As customer passwords were encrypted, it reduces the likelihood of their RedDoorz accounts being hacked.
However, with the other personal details breached, cyber criminals might be able to pose as the victims and try to take over other online accounts that use similar details, going by what cyber-security experts have said in other incidents.
It also means that the victims could be targeted by more spam messages and phishing attempts.
The stolen data was put up for sale on a hacker forum before it was taken down, reported The Business Times last year.
RedDoorz said at the time that most of the compromised data came from the booking platform’s largest market, Indonesia. The company’s customers are all from South-east Asia.
It is understood that about 9,000 of the affected people are from Singapore.
Less than 1 per cent of the database, or about 200,000 customer records, were from Singapore.
Commeasure found out about the breach on Sept 19 last year, after an American cyber-security firm alerted the company. PDPC was notified on Sept 25 last year.
The hackers had likely accessed the company’s database hosted on an Amazon cloud database after getting an Amazon Web Services access key.
This key was embedded in an Android application package (APK) created by Commeasure in 2015 and publicly available for download from the Google Play store.
Such a package is used by Google’s Android operating system to distribute and install mobile apps. The APK in question here is for installing the RedDoorz app.
The move by the company to include the access key in the APK is against Amazon Web Service’s advice to not embed access keys directly into code.
Commeasure wrongly labelled the access key in the APK as a “test key” too. The APK was last updated in 2018 and was also regarded as “defunct”. Even so, it could still be downloaded from Google Play and was only removed after the data breach was discovered last year.
Since the APK was considered defunct, this meant that when Commeasure engaged a cyber-security company to do a security review and tests from September to December 2019, the APK was left out.
A security tool that could have prevented the hackers from getting the access key was also not used on the APK since it was considered defunct.
All the developers, except one of the organisation’s co-founders and the chief technology officer, have since left the company.
PDPC said that had the company examined this APK or the access key, the data breach could have been prevented.
“The organisation’s failure to include the affected APK and the… access key within the scope of the security review arose because of the organisation’s negligence to include them in its inventory of IT assets in production,” said the commission.
PDPC added that it was not satisfied that the IT security reviews that Commeasure did were sufficiently rigorous and met the standards under the law.
In arriving at the $74,000 fine, the commission said it also considered factors such as the actions Commeasure took to address the incident, such as only allowing whitelisted Internet Protocol addresses to access its live databases and having two-factor authentication in place for all the tools and accounts used by developers.
PDPC also said that the company conducted periodic security reviews, although these efforts were futile since the affected APK was not included.