Chan Brothers Travel is being investigated by Singapore's privacy watchdog after the personal data of close to 450 of its customers was found to be publicly accessible.
Screenshots of a tip-off seen by The Straits Times showed that the tour agency's website exposed data such as the names, NRIC numbers, passport numbers and even travel plans of its customers.
The Personal Data Protection Commission (PDPC) said yesterday that it has been notified of the incident and is investigating.
Responding to queries, a Chan Brothers spokesman said it takes full responsibility for the incident and that it was notified of the vulnerabilities on Thursday.
It is currently working with its vendor Aodigy Asia Pacific to determine what caused the exposure.
"Upon notification of the vulnerabilities, we immediately took action to address the matter, including containing the extent of vulnerabilities, assessing the extent of impact and reporting the incident to PDPC," the spokesman said.
"Some of the measures undertaken require continual monitoring, review and action, as it involves information that has been publicly cached," she added.
Chan Brothers has since shut the website down.
When The Straits Times visited the site yesterday, some data was still publicly accessible via cached pages, or temporarily available versions of the site.
Asked if Chan Brothers has informed any of the affected customers, the spokesman said it is progressively contacting them.
"We are currently investigating this matter and ascertaining the extent and nature of information that was revealed. We would like to assure our customers that no sensitive financial and booking information was revealed," she said.
"That said, we recognise that no personal data should be exposed at all in any manner, and that it is our responsibility and priority to protect our customers' personal data."
Mr Andrew Goh, co-founder of local financial technology start-up Factors Platform, informed The Straits Times of the insecure data, which he found while gathering data sets for his work on Wednesday evening.
He discovered that he could look up clients' inquiries and post-tour surveys on the website.
"I found close to 500 entries in aggregate (inquiries and surveys). Close to 450 of them are unique clients," he said.
On Thursday, Mr Goh went to the Chan Brothers office and met the IT director, who told him that the issue would be sorted out.
Later that day, Mr Goh received a call from a Chan Brothers staff member, who said the problem had been fixed.
Mr Goh checked the website again in the evening and saw that the personal data could still be found.
"The Chan Brothers spokesman said Mr Goh was still able to view the information that evening as it was "stored in cached pages by the search engines' servers".
On what recourse Chan Brothers will be providing its customers, its spokesman said the agency will personally address individual concerns.
This incident comes on the heels of last week's news that PDPC was investigating a breach of the Singapore Red Cross website, which compromised the personal data of more than 4,200 people, including their full names and contact numbers.
On Thursday, the PDPC said in a statement that organisations which admit their role in a data breach and plead guilty to it may get a lower financial penalty if the cause is a common breach.