The personal information of roughly 5.9 million clients, from Singapore as well as South-East Asia, of hotel booking service RedDoorz, was discovered to have been exposed, in what the authorities have described as Singapore’s greatest data breach.
The Personal Data Protection Commission (PDPC) penalized the website’s operator, Commeasure, for $74,000.
This is much less than the $1 million penalties levied on SingHealth as well as Integrated Health Information Systems for the 2018 security breach that affected 1.5 million individuals.
The panel stated that it has evaluated the impact of the Covid-19 epidemic on the hotel industry.
“In deciding the amount of financial penalty to be imposed, we also considered that the organization, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic,” said the PDPC in a judgment issued last Thursday (Nov 11).
“This is the largest data breach that has occurred since the Personal Data Protection Act came into effect.”
Last year, RedDoorz stated that the majority of the hacked data originated from the booking platform’s main market, Indonesia. All of the company’s clients are from Southeast Asia.
It is estimated that around 9,000 of those afflicted are Singaporeans.
Under the Act, which went into effect in 2013, the maximum penalty for a security breach is now $1 million.
However, businesses may soon be penalized up to 10% of their yearly revenue in Singapore, or $1 million, whichever is greater. The increased fee is expected to commence at least 12 months from February 1st of this year.
In the Commeasure incident, the contact number, customer’s name, date of birth, e-mail address, booking information, and encrypted password to his RedDoorz account were all compromised.
Because client credentials were encrypted, cybercriminals will be unable to use anything unless they can decode the credentials. This decreases the probability of the fraudsters using the passwords to get access to victims’ RedDoorz profiles.
Customers’ disguised credit card numbers were not accessed or downloaded by hackers.
According to cyber-security analysts, with other personal data compromised, cyber thieves may be able to impersonate the victims and attempt to take over other user profiles that utilize similar details.
It also implies that the victims may be subjected to more spam as well as phishing efforts.
As per The Business Times, the stolen information was placed up for sale on a hacker site before being removed.
Commeasure discovered the intrusion on September 19, last year, when an American cyber-security firm notified the corporation.
On September 25, the PDPC was alerted.
After obtaining an Amazon Web Services authorization key, the attackers most likely gained access to the company’s database located on an Amazon cloud server.
This key was encoded in a Commeasure Android application package (APK) that was publicly accessible for installation from the Google Play Store in 2015.
Google’s Android OS uses the bundle to distribute as well as install mobile applications. The APK in discussion is for downloading the RedDoorz application.
Commeasure’s decision to incorporate the access key within the APK goes against Amazon Web Service’s recommendation not to integrate access keys directly in the script.
Commeasure also incorrectly labeled the access key inside the APK as a “test key.” The APK was ultimately considered “dead” by the firm. Despite this, it was still available for installation from Google Play and it was only withdrawn when the data breach was revealed.
Because the APK was deemed dead, it was not included when Commeasure hired a cyber-security firm to undertake a security evaluation and testing from September to December 2019.
A security mechanism that may have stopped the hackers from obtaining the access key was not utilized on the APK as it was deemed obsolete.
Except for one of the organization’s co-founders as well as the chief technology officer, all the programmers have now departed the firm.
According to PDPC, the data breach may have been avoided if the organization had reviewed this APK and the access key.
“The organization’s failure to include the affected APK and the… access key within the scope of the security review arose because of the organization’s negligence to include them in its inventory of IT assets in production,” said the commission.
PDPC also stated that it was not convinced that Commeasure’s IT security audits were robust enough and met legal norms.
The commission stated that in reaching the $74,000 fine, it took into account considerations such as Commeasure’s measures to resolve the problem. These only included allowing white-listed Internet Protocol addresses to connect its live servers and requiring two-factor authentication for any and all developer resources and accounts.
PDPC further stated that, while the business performed periodic security checks, their efforts were in vain because the impacted APK isn’t included.
Commeasure notified impacted customers of the incident on September 26 of last year, advising them to update their RedDoorz user credentials as a safeguard and to avoid using the same credentials on other digital platforms.