5.9 million customers hit by RedDoorz data breach, Latest Singapore News - The New Paper

5.9 million customers hit by RedDoorz data breach

This article is more than 12 months old

Personal Data Protection Commission fines firm that operates the hotel booking website $74,000

The personal data of nearly 5.9 million Singaporean and other South-east Asian customers of hotel booking site RedDoorz was found to have been leaked, in what the Government has called Singapore's largest data breach.

The Personal Data Protection Commission (PDPC) has fined local company Commeasure, which operates the website, $74,000. This is much lower than the combined $1 million fine imposed on SingHealth and Integrated Health Information Systems for a 2018 data breach that affected 1.5 million people.

"In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic," the PDPC said in a judgment issued last Thursday.

"This is the largest data breach that has occurred since the Personal Data Protection Act came into effect," it added.

RedDoorz said last year that most of the compromised data came from the platform's largest market, Indonesia. Its customers are all from South-east Asia. It is understood about 9,000 of those affected are from Singapore.

The maximum fine now for a data breach is $1 million under the Act. But companies can soon be fined more - up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. This is slated to take effect some time next year, at the earliest.

The data in the Commeasure incident included each customer's name, contact number, date of birth, encrypted password to the RedDoorz account and booking information. The stolen data was put up for sale before it was taken down, reported The Business Times last year.

Commeasure found out about the breach on Sept 19 last year, after it was alerted by an American cyber-security firm. The PDPC was notified on Sept 25.

The hackers likely accessed the firm's database, hosted on an Amazon cloud database, after getting an Amazon Web Services access key. This key was embedded in an Android application package created by Commeasure in 2015 and publicly available for download from the Google Play store. The package is used to distribute and install mobile app.

Commeasure wrongly labelled the access key in the package as a "test key". The package was eventually regarded as "defunct" by the company, but it could be downloaded from Google Play and was removed only after the breach was found.

Since the package was considered defunct, it was left out when Commeasure engaged a cyber-security company to conduct a security review and tests from September to December 2019. This meant a security tool that could have prevented the hackers from getting the access key was not used on it.

The PDPC said that had the firm examined this application package or the key, the breach could have been prevented. It was not satisfied that the IT security reviews that Commeasure conducted met standards required under the law.

In arriving at the $74,000 fine, it said it considered factors such as the actions Commeasure took. These included allowing only white-listed Internet protocol addresses to access its live databases.

Although the firm conducted periodic security reviews, the PDPC said these efforts were futile as the affected application package was excluded.

People lift car outside Parliament House to help crash victims

An accident in front of Parliament House on Sunday morning resulted in five people being taken to hospital.

The accident, involving a blue Honda and a black BMW, happened at the junction of North Bridge Road and Parliament Place around 8.15am.

Photos of the incident circulating on WhatsApp showed about a dozen people lifting the blue Honda, while others tended to those who were lying on the road and appeared to be injured.

A spokesman for the Singapore Civil Defence Force said it took five people to Singapore General Hospital.

A police spokesman said the five injured were two male drivers aged 51 and 59, and three passengers aged between 28 and 61.

All of them were conscious when taken to the hospital.

Checks by The Straits Times showed that the blue Honda is registered as a private hire vehicle.

A video of the crash taken from the camera of another car was shared on the Facebook page of Roads.sg yesterday.

The car that provided the footage had stopped at the red light on High Street as the Honda went past it on the right. The footage shows the BMW, which was moving along North Bridge Road, crashing into the left side of the Honda in the middle of the junction.

The Honda tumbled from the impact, and a person could be seen falling out of its window onto the road.

As the person lay on the ground, the Honda appeared to roll on its roof on top of the person. Screams were heard as people rushed forward to try and lift the car.

Photos of the aftermath showed the left side of the Honda was badly damaged, while the BMW appeared to be damaged at its front.

Investigations are ongoing. - THE STRAITS TIMES