Data of 5.9M RedDoorz Customers Leaked in BreachSingapore PDPC Fines Company Only $54,637 Because of Pandemic's Effect on Business
The Singapore Personal Data Protection Commission, or PDPC, has fined Commeasure Pte. Ltd., which operates hotel booking platform RedDoorz, S$74,000 - or U.S. $54,637 at the current exchange rate - for what the commission called the "largest data breach" since its inception in 2012, which put at risk 5.9 million customer records.
The RedDoorz penalty is significantly lower than S$1 million, or U.S. $738,000 - the current maximum for companies that suffer data breaches - which the PDPC imposed on IHiS and SingHealth. The SingHealth breach affected 1.5 million Singaporeans - one-quarter the number of RedDoorz data breach victims.
In its judgement, the PDPC says it decided the financial penalty after taking into account that RedDoorz operated in the hospitality sector, which was severely affected by the COVID-19 pandemic.
The data breach first came to light on Sept. 19, 2020, when an unnamed U.S. cybersecurity firm approached RedDoorz with an offer to contain the breach and retrieve data from the hackers, the PDPC says. The commission did not specify how the cybersecurity firm learned of the leaked data, but a Business Times report says that "stolen" data from RedDoorz and one other e-commerce website appeared on a known underground hacker forum.
After analyzing the claim, the Commeasures IT team found that the RedDoorz database of customer records hosted on an Amazon Relational Database Service's cloud database had been compromised, the PDPC says. The Amazon Web Services access key of the live database, it says, was embedded in an Android application package and was publicly available for download on the Google Play Store.
The PDPC says it was informed of the incident on Sept. 25, 2020, in accordance to breach notification requirements.
The affected database contained 5,892,843 customer records, and the unidentified threat actors behind the attack were able to exfiltrate "customer's name, contact number, email address, date of birth, a hashed password [encrypted with one-way BCrypt hash algorithm] used by the customer to access their RedDoorz account, and their booking information," the PDPC says.
The affected APK was created in 2015, and the AWS access key was erroneously embedded into it - marked as a "test" key by the developers. Amazon "clearly advises users to protect the access keys as "anyone who has the access keys for your AWS account root user has unrestricted access to all resources in your AWS account." AWS also cautions users not to "embed access keys directly into code," the PDPC says.
RedDoorz later treated this APK as defunct and excluded it in the security audit conducted between September and December 2019 by an external cybersecurity firm. The firm did hold a security review and penetration testing, but since the APK was considered defunct, "it was not within the scope of the security review or penetration tests," the PDPC says.
The commission says the only positive takeaway from the data breach incident is that the threat actors behind the attack were unable to compromise and download the customers' masked credit card numbers, which it learned from the RedDoorz investigation reports.
The PDPC says the RedDoorz security measures were unsatisfactory based on the guidelines of section 24 in the Personal Data Protection Act of 2012, which requires an organization to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks." For its unsatisfactory security, the PDPC found RedDoorz liable to pay a fine and stated that "the Incident could have been prevented."
RedDoorz removed the affected APK from Google Play Store and created new access keys and credentials for code repository access after invalidating the old ones, says the PDPC, citing the remedial measures taken by the organization after the data breach incident.
It says that to avoid future incidents, the company also:
- Prohibited developers from embedding access codes in any code base by improving its credential policies;
- Reorganized the IT infrastructure so that the customer database from the internet could be placed in isolation with only whitelisted IP addresses now allowed connection to "live" databases;
- Introduced separate production and staging environments for all AWS services, enabled two-factor authentication for all tools and accounts used by developers, and implemented VPN-based control to access infrastructure resources;
- Set up web application firewalls and configured alerts to capture mySQL dump query;
- Appointed an unnamed cybersecurity company to conduct vulnerability assessment and penetration testing of all its existing applications.
RedDoorz did not respond to Information Media Security Group's request for additional information on preventive and mitigation efforts.
Other Commissions Actions
In a separate judgement given on the same day, the PDPC says that Giordano Originals Pte. Ltd. was not in breach of the Personal Data Protection Act in a July 2020 ransomware incident in which personal data of 790,000 members and 184 employees in encrypted form were "affected."
"Investigations revealed that the organization had in place reasonable security measures that are consistent with the recommendations of the PDPC," the judgement says.
"[I am] satisfied that the organization had met its protection obligation under section 24 of the PDPA," says Yeong Zee Kin, deputy commissioner for personal data protection. "In light of our findings, we will not be issuing any directions or taking any further enforcement action against the organization in relation to the incident."
The PDPC has published an undertaking of Fujioh International Trading Pte. Ltd., whose website had been affected by URL manipulation, resulting in 2,771 customers' personal data being exposed through Fujioh's online warranty system on the website. "The commission has reviewed the matter and determined that Fujioh had complied with the terms of the undertaking," the PDPC stated.