Singapore — Nearly 5.9 million Singaporean and Southeast Asian customers of hotel booking site RedDoorz had their personal data leaked, making the incident Singapore’s largest data breach.
Loss-making startup RedDoorz was found to have compromised the personal security of 5.9 million customers in what the government called the largest data breach since Singapore’s Personal Data Protection Act came into force in 2013.
The Personal Data Protection Commission (PDPC) said in a recent statement that local firm Commeasure, which operates the hospitality platform, was fined S$74,000 “for failing to put in place reasonable security arrangements to prevent the unauthorised access and exfiltration of customers’ personal data hosted in a cloud database.”
The Commeasure incident involved a breach in the customer’s name, contact number, email address, date of birth, and encrypted password to the customer’s RedDoorz account as well as any booking information.
However, the hackers did not breach or download customers’ masked credit card numbers, reported The Straits Times on Monday (Nov 15).
The stolen data was advertised for sale on a hacker forum before being taken down.
PDPC noted that the hackers had presumably accessed RedDoorz’ database hosted on an Amazon cloud database after acquiring an Amazon Web Services access key.
The key was then embedded in an Android application package (APK) which Commeasure created in 2015 and made downloadable for the public on Google Play Store.
Reports noted that the decision to include the access key, labelled as “test key”, into the APK was against Amazon Web Service’s advice.
Furthermore, the APK was still downloadable despite being tagged as “defunct” by the company. It was only removed after the data breach was brought to light in 2020.
It was reported that about 9,000 of the affected customers are from Singapore.
Affected customers were notified on Sept 26, 2020, and advised to change their RedDoorz account password as a safety measure.
“In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic,” said the PDPC.
The current maximum fine for companies during a data breach is S$1 million. However, firms can be fined more, such as up to 10 per cent of their annual turnover in Singapore if it is higher than S$1 million.
The increased fine is scheduled to become effective at least a year from Feb 1, 2021. /TISG
Read related: Personal information of more than 57,000 StarHub customers discovered on 3rd party dump site
Personal information of more than 57,000 StarHub customers discovered on 3rd party dump site