In another case of a data breach, personal data of almost 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz has been leaked. Industry watchers have dubbed this as Singapore’s largest data breach.
Section 24 of the Personal Data Protection Act 2012 (“PDPA”) requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). Authorities noted that Commeasure, the company which runs RedDoorz website failed to implement reasonable security arrangements to protect the personal data in its control.
A financial penalty of $74,000 was imposed on Commeasure for failing to put in place reasonable security arrangements to prevent the unauthorised access and exfiltration of customers’ personal data hosted in a cloud database, the ruling said.”In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic,” said the PDPC in a judgment issued last Thursday (November 11).
The data leak included customer’s name, contact number, e-mail address, date of birth, encrypted password to a customer’s RedDoorz account and booking information, authorities said. The hackers did not access or download customers’ masked credit card numbers.
On 25 September 2020, the Personal Data Protection Commission received a data breach notification from Commeasure Pte Ltd that its database containing 5,892,843 customer records had been accessed and exfiltrated. Commeasure first found out about the data breach on 19 September 2020 when a cybersecurity company based in Atlanta, US, approached it with an offer to contain the breach and retrieve the data from the hackers. PDPC subsequently commenced investigations into the incident.
Cause of the Incident
Investigations revealed that the unknown threat actor(s) had most likely gained access and exfiltrated Commeasure’s database of customer records hosted in an Amazon RDS cloud database, after they obtained an AWS access key. The AWS access key was embedded within an Android application package (“the affected APK”) publicly available for download from the Google Play Store.
This affected APK was created sometime in 2015, when Commeasure was still a start-up, and was last updated in January 2018. Even though the AWS access key had access to a “live” or production database, the AWS access key was embedded in the APK, and erroneously marked as a “test” key by the then-developers. With the exception of one of the Commeasure’s co-founders and Chief Technology Officer, all the developers have since left the organisation.
Most unfortunately, even though Commeasure regarded this APK as “defunct”, the APK remained publicly available for download on the Google Play Store until it became aware of the incident and removed the affected APK. The fact that Commeasure had treated the affected APK as a “defunct” APK meant that even though it had engaged a cybersecurity company to conduct a security review and penetration testing sometime from September 2019 to December 2019, it was not within the scope of the security review or penetration tests.
Consequently, the vulnerability was left undetected and exposed until the organisation found out about the incident. Likewise, even though Commeasure used “Proguard” on its current Android apps to prevent reverse engineering of APKs, which may have prevented the unknown threat actors from retrieving the AWS access key, it failed to review and deploy “Proguard” on the affected APK which it regarded as “defunct”.
As a result of the incident, Commeasure’s database containing 5,892,843 customer records which included the customer’s name, contact number, email address, date of birth, a hashed password (encrypted with oneway BCrypt hash algorithm) used by the customer to access their “RedDoorz” account and their booking information was accessed and exfiltrated, by unknown threat actor(s). Based on Commeasure’s investigations, the unknown threat actor(s) did not gain access or download the customers’ masked credit card numbers.
The maximum fine for a data breach is $1 million now under the Personal Data Protection Act which came into effect in 2013. However, firms can soon be fined up to 10 per cent of their annual turnover in Singapore, or $1 million, whichever is higher. The higher fine is slated to take effect at least 12 months from Feb 1 this year.
Remedial action
Following the incident, Commeasure the affected APK was removed from the Google Play Store. Further, old access keys were invalidated and new access keys were created. The infrastructure and code repository access credentials were changed. Also, IP blocking of suspicious traffic was enabled; and all the affected customers were informed via email on 26 September 2020 of the data breach, advising them to change their RedDoorz account password as an added precautionary measure, and to avoid using the same password on other digital platforms.
To prevent a recurrence of the incident or similar incidents, Commeasure also took other remedial actions. It amended its credential policyto clearly prohibit developers from embedding access codes in any code base. Commeasure upgraded its IT infrastructure to a private space for isolation of the customer database from the Internet. Only whitelisted IP addresses were allowed connection to ‘live’ databases.
The organisation separated the accounts for production and staging environments for all AWS services. Two-factor authentication was enabled for all tools and accounts used by developers. VPN-based control was implemented to access infrastructure resources. Commeasure configured alerts to capture mySQL dump query, Web application firewalls were set up and an audit of all user access to the AWS environment was conducted. The organisation appointed a cybersecurity company to conduct vulnerability assessment and penetration testing of all its existing applications.
