SINGAPORE: The Personal Data Protection Commission (PDPC) has fined PPLingo S$74,000 for a data breach caused by a weak password that affected over half a million users.
The Straits Times reported that the breach in April 2022 exposed sensitive personal information, including cellphone numbers, bank account numbers, signatures, and identity card numbers of Chinese nationals.
This breach impacted 557,144 users, including more than 300,000 minors using the company’s online language lessons.
PPLingo, under the website LingoAce, offers Chinese and English language classes for children aged four to 15 worldwide. The data breach was facilitated by a weak administrator password, “lingoace123,” which had not been changed for over two years.
Based on the company’s website name, this password was compromised through brute force attacks, a method where hackers use trial and error to crack passwords.
The hacker accessed the administrator account, informed the company about the breach, and provided proof by listing the personal data of several users.
However, the hacker did not follow up with any demands, leaving the compromised data at risk. PDPC’s investigation revealed significant lapses in the company’s security measures.
Notably, PPLingo had no password policy beyond requiring a minimum length of eight characters and did not mandate password complexity or periodic changes.
In addition, the administrator account lacked multi-factor authentication, a now-standard security measure for protecting sensitive data.
The commission highlighted the firm’s failure to appoint a data protection officer (DPO) before the breach, a requirement under Singapore’s data protection laws.
The company only appointed a DPO after the incident, despite being operational since 2016.
Responding to the breach, PPLingo took remedial actions, including notifying affected users and implementing stronger security measures.
Despite these actions, the PDPC imposed the fine, highlighting the firm’s prior negligence contributed to the severity of the breach.
PPLingo requested a reduced fine, arguing that it had voluntarily notified other data protection authorities in over 40 affected locations and suggesting that the fine should consider only Singapore-based individuals.
The PDPC rejected this plea, maintaining that the firm is responsible for all personal data, regardless of the users’ locations.
PDPC announced on May 23 another penalty of S$28,000 on Horizon Fast Ferry for a separate data breach.
This Singapore-based ferry operator, which services routes between Singapore and Batam, experienced a leak affecting nearly 108,500 customers. The compromised data included passport numbers, dates of birth, and passport issue and expiry dates.
The breach at Horizon Fast Ferry was revealed in March 2023 through ransomware emails indicating that customer data had been leaked.
The company informed PDPC about the breach the following month and took steps to mitigate the impact, including hiring a vendor to develop a new website.
PDPC’s investigation found that Horizon Fast Ferry had not ensured its IT support vendor’s staff were adequately familiar with its operating system, resulting in insufficient security measures. /TISG