SINGAPORE – Personal data of nearly 5.9 million Singaporean and Southeast Asian customers of hotel booking site RedDoorz has been disclosed, in what the government has called Singapore’s biggest data breach .
The Personal Data Protection Commission (PDPC) fined local company Commeasure, which operates the website, $ 74,000.
That’s far less than the combined fine of $ 1 million imposed on SingHealth and Integrated Health Information Systems for the 2018 data breach that affected 1.5 million people.
The commission said it had taken into account the difficulties in the hotel sector caused by the Covid-19 pandemic.
“In deciding on the amount of the financial penalty to be imposed, we also considered that the organization, which operates in the hotel sector, had been seriously affected by the Covid-19 pandemic,” said the PDPC in a judgment rendered last Thursday (November 11).
“This is the largest data breach since the entry into force of the Personal Data Protection Act.”
RedDoorz said last year that most of the compromised data came from the booking platform’s largest market, Indonesia. The company’s clients are all from Southeast Asia.
It is understood that approximately 9,000 of those affected are from Singapore.
The maximum fine for a data breach is currently $ 1 million under the law, which came into effect in 2013.
But companies can soon face higher fines – up to 10% of their annual turnover in Singapore or $ 1 million, whichever is greater. The higher fine is expected to take effect at least 12 months from February 1 of this year.
Data affected in the Commeasure incident included customer name, phone number, email address, date of birth, encrypted password for their RedDoorz account, and booking information.
Because customer passwords are encrypted, hackers won’t be able to use them unless they find a way to crack the passwords. This reduces the likelihood that crooks can use the passwords to hack victims’ RedDoorz accounts.
Hackers did not access or download customers’ hidden credit card numbers.
However, with the other personal information breached, cybercriminals might be able to impersonate the victims and try to take over other online accounts that use similar information, based on what experts say. in cybersecurity have said in other incidents.
It also means that victims could be targeted by more spam messages and phishing attempts.
The stolen data was put up for sale on a hacker forum before it was deleted, the Business Times reported last year.
Commeasure discovered the breach on September 19 last year, after a U.S. cybersecurity firm alerted the company.
PDPC was notified on September 25.
The hackers had likely accessed the company’s database hosted on an Amazon cloud database after obtaining an Amazon Web Services access key.
This key was incorporated into an Android Application Package (APK) created by Commeasure in 2015 and publicly available for download from the Google Play Store.
The package is used by Google’s Android operating system to distribute and install mobile applications. The APK in question here is for installing the RedDoorz application.
Commeasure’s decision to include the access key in the APK goes against Amazon Web Service’s advice not to embed the access keys directly into the code.
Commeasure also incorrectly labeled the access key in the APK as “test key”. The APK was also ultimately considered “old” by society. Even so, it could still be downloaded from Google Play and was not deleted until after the data breach was discovered.
Since the APK was considered obsolete, it was left out when Commeasure hired a cybersecurity company to perform a security review and testing from September to December 2019.
A security tool that could have prevented hackers from obtaining the access key was also not used on the APK as it was considered missing.
All of the developers, except one of the organization’s co-founders and the CTO, have since left the company.
PDPC said that if the company had reviewed this APK or the access key, the data breach could have been prevented.
“The organization’s failure to include the affected APK and access key as part of the security review is due to the organization’s failure to include them in its inventory of production IT assets.” , said the commission.
PDPC added that it was not convinced that the computer security reviews carried out by Commeasure were sufficiently rigorous and in line with legal standards.
In arriving at the fine of $ 74,000, the commission said it also took into account factors such as the actions taken by Commeasure to remedy the incident. These only included allowing whitelisted Internet Protocol addresses to access its live databases and setting up two-factor authentication for all tools and accounts used by developers.
PDPC also said that although the company performed periodic security reviews, these efforts were unsuccessful as the affected APK was not included.
Commeasure informed affected customers on September 26 of last year of the breach and advised them to change their RedDoorz account passwords as a precautionary measure and to avoid using the same passwords on other online platforms.