This is the largest data breach that has occurred since the Personal Data Protection Act came into effect
In what the Government has called Singapore’s largest data breach, the personal data of nearly 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz was found to have been leaked.
Local firm Commeasure, which operates the website, has been fined by the Personal Data Protection Commission (PDPC) for $74,000.
For the 2018 data breach which affected 1.5 million people, this is much lower than the combined $1 million fine imposed on SingHealth and Integrated Health Information Systems.
The commission said it had considered hardship on the hospitality sector caused by the Covid-19 pandemic.
“In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic”, said the PDPC in a judgment issued last Thursday on 11 November.
“This is the largest data breach that has occurred since the Personal Data Protection Act came into effect”.
RedDoorz said last year that most of the compromised data came from the booking platform’s largest market, Indonesia. The company’s customers are all from South-east Asia.
It is understood that about 9,000 of the affected people are from Singapore.
Under the Act, which came into force in 2013, the maximum fine for a data breach is $1 million now.
But firms can soon be fined up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. The higher fine is slated to take effect at least 12 months from 01 Feb this year.
The affected data in the Commeasure incident included the customer’s name, contact number, e-mail address, date of birth, encrypted password to his RedDoorz account and booking information.
The hackers will not be able to use customer passwords as were encrypted, unless they find a way to decode the passwords. To hack into victims’ RedDoorz accounts, this reduces the likelihood of the crooks being able to use the passwords.
The hackers did not access or download customers’ masked credit card numbers.
However, with the other personal details leaked in the data breach, cyber criminals might be able to pose as the victims and try to take over other online accounts that use similar details, going by what cyber-security experts have said in other incidents.
It also means that the victims could be targeted by more spam messages and phishing attempts.
On a hacker forum, the stolen data was put up for sale before it was taken down, reported The Business Times last year.
After an American cyber-security firm alerted the company, commeasure found out about the data breach on 19 September last year. PDPC was notified on 25 September.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.