Case fined $20,000 for PDPA breaches compromising consumers’ personal data

The Consumers Association of Singapore (Case) has been fined $20,000 for breaches under the Personal Data Protection Act (PDPA).

In a judgment published on Aug 28, the Personal Data Protection Commission (PDPC) said the consumer watchdog was fined for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control.

It had also failed to develop and implement policies and practices that are necessary to meet its obligations under the PDPA.

The breaches led to two separate incidents – in October 2022 and June 2023 – where up to 22,542 e-mail addresses in the first case, and consumer data of 12,218 individuals in the second, that Case had in its possession were possibly compromised.

The first incident

Case first notified PDPC of a data breach involving a threat actor accessing its e-mail accounts and sending phishing e-mails on Oct 8 and 9, 2022, from its official e-mail addresses.

On Oct 8, 2022, some of Case’s consumers received unsolicited e-mails from “[email protected]”, an account used to communicate with consumers who lodge complaints on its website.

In the e-mail, consumers were told that their complaints had been escalated to the “collections and compensation department”, and that they were eligible for a compensation payout.

They were requested to click on a chat icon to fill in their banking details to complete the payment process.

The next day, similar e-mails were sent from “[email protected]”, an account used to communicate with consumers whose complaints were escalated to mediation.

Following this, in January and February 2023, Case received complaints of more such e-mails being sent to its consumers from e-mail addresses that did not originate from its domain.

Based on the circumstances, the PDPC judgment said these affected consumers’ e-mails were likely harvested by the threat actor during the course of the first incident.

Of the affected consumers, three of them informed Case that they had clicked on an embedded icon within the phishing e-mails, and had money withdrawn from their bank accounts. They allegedly lost a collective $217,900. Case then made a police report.

A total of 5,205 phishing e-mails were sent to 4,945 recipients from “[email protected]” and “[email protected]”. They were generally of the same content and format, did not contain any complaint-specific details, consisting of fictitious data, said PDPC.

The compromising of “[email protected]” had exposed up to 22,542 e-mail addresses, while “[email protected]” did not contain any data, PDPC added.

Beyond these, investigations did not reveal any further personal data that the threat actor had access to. 

Investigations by a private forensic expert engaged by Case revealed that the threat actor had successfully signed in to the affected accounts using the correct login credentials, which were likely obtained from a phishing attack on a Case employee.

Some of Case’s computers were also found to have been running on end-of-life operating systems, which are generally vulnerable as they are no longer supported or maintained with security updates by vendors.

Following this incident, Case informed those who had received phishing e-mails not to click on any links within, and also published alerts on its online platforms to alert consumers to them. Their affected accounts were also suspended, and all administrator accounts had their passwords reset with increased complexity requirements.

Case also assembled a task force to manage the incident, conduct investigations, and provide recommendations to improve its cybersecurity.

The second incident

While PDPC was investigating the first incident, it received a complaint on June 22, 2023 regarding a phishing e-mail that reproduced a consumer’s complaint submitted to Case.

Subsequently, PDPC was informed of more such cases, with a total of 28 individuals receiving such targeted phishing e-mails.

In these cases, however, the e-mail addresses did not originate from Case’s domain.

“Since such data was contained within (Case’s) systems, the unavoidable conclusion is that their personal data (at the very least, their e-mail addresses and complaints) had been exfiltrated from (Case’s) systems,” said PDPC in its judgment.

Investigations did not yield a definitive conclusion on how the data breach in the second incident occurred, but PDPC concluded that it likely occurred during a data migration exercise conducted by Case between Dec 24, 2019, and Jan 1, 2020, when it changed vendors.

The personal data of 12,218 individuals involved in the data migration was put at risk of unauthorised access and exfiltration, said PDPC.

The data included the individuals’ names, e-mail addresses and contact numbers, as well as the details of their complaints.

However, none of the affected individuals suffered any monetary loss in the second incident.

Following this incident, Case informed its consumers not to click on links within phishing e-mails, and remained in touch with the 28 individuals.

It also alerted consumers to the phishing e-mails through its online platforms.

PDPC’s findings

By its own admission, and through PDPC’s findings, it said, Case was found to have breached its PDPA obligations.

Case’s password management policy was found to be “manifestly insufficient” to safeguard the personal data in its possession, said PDPC.

It did not enforce its own password policy, with one of the affected accounts having a password that was in use despite not meeting minimum length and complexity requirements.

It also failed to adopt and enforce a policy on how frequently the passwords ought to be changed, with affected accounts having passwords that had remained unchanged for four years prior to the first incident.

In the second incident, Case’s contract with one of its vendors did not stipulate clear security responsibilities in relation to its systems or data, leading PDPC to conclude that Case’s negligent vendor management had put personal data under its control at risk of unauthorised access and disclosure.

Case admitted to a failure to conduct regular security awareness training for its staff, having last held data protection training in 2017 – five years before the first incident.

The consumer watchdog had also indicated that it did not have any information and communications technology policies in place, having simply “relied on its IT (information technology) staff to conduct maintenance and updates, as and when necessary”.

Case’s e-mail security measures were found to have been insufficient, and did not have in place sufficient logging and monitoring practices to detect suspicious activity or unauthorised access promptly.

It did not have internal controls to monitor the security of its systems, and had no documented IT infrastructure management plan to protect its systems. It had also not performed any security reviews of its systems in the three years preceding the first incident.

PDPC directed Case to review and update its policies relevant to personal data protection and rectify all security gaps identified by the private forensic expert.

What has Case done?

After the vulnerabilities identified by the private forensic expert have been rectified, Case will arrange for a penetration test to identify cyber security gaps.

To prevent recurring or similar incidents, Case implemented multi-factor authentication for all its web-based applications, and procured a security package against malware, spam, and phishing e-mails. Access rights to system functions have also been reviewed and tightened.

All end-of-life devices have been decommissioned, and patch management software has been installed in its systems for security updates to be remotely pushed through.

It has also enhanced password strength and complexity requirements, and mandated password changes for all mailboxes every three months.

Case’s contracts with all outsourced vendors now have to include data protection clauses, with vendors having to comply with both PDPA’s and its own standard operating procedures for handling personal data.

New staff members will receive data protection training, and all staff members will receive refresher training annually.

Arrangements are being made for Case to obtain the Cyber Essentials Mark, which aims to help small and medium-sized enterprises have baseline cyber defences to safeguard their systems and operations from common cyber attacks, and subsequently the Data Protection Trust Mark, which recognises companies that have put in place data protection regimes to comply with obligations under the PDPA.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Wildlife trade offences considered serious offences under Organised Crime Act from Aug 30: MHA S’pore court ‘will not tolerate’ questions on attire that imply victims invited sexual assaults