Manpower services firm fined $9,000 for data leak affecting 23,940 people
Sign up now: Get ST's newsletters delivered to your inbox
More than 96,880 images of identification documents were downloaded from Century Evergreen’s website over three days in December 2022.
PHOTO: REUTERS
Follow topic:
SINGAPORE – Manpower services firm Century Evergreen has been fined $9,000 by Singapore’s data privacy watchdog for a vulnerability that resulted in the download of identification documents of 23,940 people from its website.
These documents included images of their national registration identity card, or NRIC.
Over 96,880 images of these documents were downloaded from the firm’s website over three days last December, the Personal Data Protection Commission (PDPC) said on Friday.
The firm, which supplies part-timers to various industries here, requires job seekers to submit identification documents to verify their identity and suitability.
The leak was discovered by an unnamed party who realised that images of the documents were publicly accessible on the firm’s website and lodged a complaint with the PDPC on Dec 11, 2022.
Following the PDPC’s investigations, the firm admitted that the vulnerability, which allowed the unnamed party to access personal data by manipulating its website’s address, had existed since the site’s launch in 2015.
The firm admitted that it failed to include any security requirements to protect personal data in its contract with the vendor that developed and maintained the website.
It also admitted that apart from conducting functionality testing when the website was launched, it made no arrangements with its information technology vendor to conduct security tests before or after the launch.
In its report, the PDPC said the firm’s failure to put in place reasonable security arrangements to protect personal data was a matter of “gross negligence”, given the long period of non-compliance between 2015 and 2022.
The PDPC said the amount of the financial penalty was decided after considering several factors, including the firm’s voluntary admission of the breach, its prompt action to remedy the vulnerability and its poor performance in the most recent financial year.
Separately, car rental company Autobahn Rent A Car was fined $3,000 by the PDPC after its system was hacked, resulting in the theft and sale of 53,000 personal data sets on a cybercrime forum.
A hacker had exploited an unrevoked administrator account with access to the database of Shariot, the company’s car-sharing service. This surfaced when an image on Shariot’s mobile application was replaced with a pornographic picture, the PDPC said on Wednesday.
The photograph was reported to the company through customer feedback on Sept 24, 2022.
The company then traced the photograph to a former employee’s administrator account, which was not revoked despite the employee leaving in May 2022.
It learnt that the former employee had received an e-mail from an unknown sender on Sept 10, 2022, stating that his personal laptop had been hacked and demanded a ransom in Bitcoin.
Using the former employee’s admin account, the hacker stole a copy of the personal data of Shariot’s users.
On Oct 21, 2022, a cyber-security solutions provider alerted the company that a Shariot database containing personal data was put up for sale on a cybercrime forum. It included names, e-mail addresses, mobile phone numbers, NRIC numbers and general location data of places such as Bishan and Toa Payoh.
On the same day, the company reported the personal data breach to the PDPC.
Following the incident, the company conducted an internal audit of its administrator accounts, enhanced its system to mask NRIC numbers to only show the last four characters, and conducted training.
The PDPC said the company admitted that it had failed to ensure it had put in place reasonable security arrangements to prevent the unauthorised access or disclosure of the personal data in its possession or control.
The company also accepted that the breach would not have occurred if it had implemented multi-factor authentication as an additional control for admin accounts that had access to its sizeable user database.
The PDPC said a financial penalty was imposed as the personal data breach was “not insignificant”.
In addition to the fine, the company was also directed to implement more controls.
