Law Society, online furniture store FortyTwo ordered to improve security after data breaches

Poor password practices for the Law Society’s administrator account were discovered after the PDPC’s investigations into a ransomware attack on the organisation's servers in 2021. ST PHOTO: GAVIN FOO
Ang Qing
Updated
May 15, 2023, 07:07 PM
Published
May 12, 2023, 09:30 AM

SINGAPORE – The Law Society has been ordered to plug security gaps after a ransomware attack compromised the information of 16,009 members, while online furniture store FortyTwo has been fined $8,000 for a data breach.

These were among the findings published by the Personal Data Protection Commission (PDPC) on Thursday.

In a written judgment, Singapore’s privacy watchdog said the Law Society had “negligently breached” its obligation to protect personal information by “using an easily guessable password” for its IT administrator account, which was hacked due to another vulnerability.

Poor password practices for the account were discovered after the PDPC’s investigations into a ransomware attack on the Law Society’s servers on Jan 27, 2021. In the attack, the servers were encrypted and the society was denied access to members’ personal data including their NRIC numbers and residential addresses.

The attack was detected on the same day and the organisation took immediate steps to restore the servers to their original state.

In a statement to the media on Friday, the Law Society said there was no evidence of any unauthorised removal or misuse of members’ personal data, and that the compromised data was not of a highly sensitive nature.

It said members were informed on Feb 4, 2021, and April 1, 2021, about the data security breach.

PDPC investigations into the incident found that the administrator’s account had a weak password – Welcome2020lawsoc – which has been acknowledged by the Law Society to be vulnerable to dictionary attacks, a brute-force technique where hackers run through common words and phrases.

Contrary to the organisation’s password policy, the account’s password had also been used for more than 90 days and was not changed every three months.

The Law Society also did not conduct a review of its security arrangements within three years prior to the ransomware attack, said the judgment.

The organisation, however, was not held responsible for an omission to patch a vulnerability in its virtual private network (VPN) system developed by Fortinet, which the judgment concluded as the likeliest way that the ransomware attacker used to get access to the society’s administrator account.

As early as 2019, Fortinet issued an upgrade to address the vulnerability in its system but Law Society’s vendor did not implement it.

Around November 2020, a file containing more than 45,000 session links and IP addresses for the VPN system of affected organisations, including the Law Society, was posted on online forums.

If a VPN system was not patched, clicking on each session link would reveal its users’ credentials in plain text. These credentials likely included the password of the administrator’s account, allowing the hacker to gain access.

Using the compromised account, the hacker created a new account with full administrative privileges and located the Law Society’s servers where its members’ personal information was stored.

After considering the Law Society’s checks on its vendor, the PDPC concluded that the organisation had reasonably relied on its vendor to perform software security patching and was not responsible for failing to patch its VPN system’s vulnerability.

More On This Topic
WhizComms data breach: About 50% of customers affected, notified on May 10
High Court directs Law Society to apply for new tribunal to probe lawyer’s conduct

It directed the Law Society to engage qualified security providers to conduct a thorough security audit of its arrangements for accounts with administrative privileges that can access directly or create access to personal data, as well as to rectify any gaps identified.

The Law Society said it would fully comply with the PDPC’s directions.

The organisation said: “In the past two years since the incident, we have already taken a number of proactive steps to enhance our cyber-security infrastructure.

“These include implementing multi-factor authentication for all VPN access and strengthening our in-house IT team to deal with cyber-security matters.”

Responding to queries, a Law Society spokesman said it notified its members and the PDPC more than a week after the incident occurred because it needed time to confirm the breach and to take steps to prevent any further cyber attacks.

Meanwhile, online furniture store FortyTwo was fined for failing to patch and update its website, which resulted in the personal particulars of 6,339 customers being leaked.

The information collected included 98 customers’ credit card details, the PDPC said in another written judgment.

The company reported the incident to the PDPC on Dec 24, 2021.

FortyTwo was found to have breached its obligation to make reasonable security arrangements by not installing security patches released between 2017 and 2020 that addressed issues and bugs, including the injection of malicious code that ultimately captured its customers’ personal data.

The PDPC also held that the company had “ample notice” to upgrade its platform from November 2015 to early 2020 before the attack, but did not do so.

In addition to a fine of $8,000, the furniture company was directed to upgrade its website to a supported software version within six months.

FortyTwo chief technology officer Jasper Chen said the company took remedial action immediately after the data breach occurred in 2021 and has since been strengthening and enhancing its systems.

In a separate judgment, recruitment firm Kingsforce Management Services was found to have breached its obligation to protect personal data after its database of about 54,900 job seekers was sold on the now-defunct RaidForums on or around Dec 27, 2021.

On Jan 31, 2022, the PDPC was notified by the firm that its database, which included addresses, telephone numbers and e-mail addresses, had been made available for sale.

External cyber-security investigators identified outdated website coding technology as the cause of the incident.

The PDPC found that Kingsforce had failed to provide sufficient clarity and specifications on how to protect its database and had not conducted periodic security reviews within a reasonable timeframe since the launch of its website.

In deciding enforcement action against the breach, the privacy watchdog considered several factors, including Kingsforce’s immediate suspension of its website and the inaccessibility of affected data following the shutdown of RaidForums in 2022.

The PDPC has ordered the firm to ensure that regular patching, updates and upgrades take place for all software and firmware supporting its website and application through which personal data can be accessed.

A Kingsforce spokesman said the affected job seekers were primarily from elsewhere as the firm’s website is popular among foreigners looking to work in Singapore.

The firm said taking down its website was a significant loss for its business, and that it has since taken steps to redevelop its site, which is now partially live.

More On This Topic
OrangeTee & Tie fined $37k for data breach affecting over 250,000 customers, staff
Login credentials of Singapore data centre clients put up on forum for free

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top