Software firm fined $74k for data breach caused by weak password; half a million users affected

SINGAPORE – A company running online language lessons for children around the world used a password based on its website name, LingoAce, making it vulnerable to the data breach that resulted.

More than half a million users, comprising the company’s students, parents, teachers and other staff, were affected. 

Among personal data compromised were the cellphone numbers, bank account numbers, signatures and Chinese nationals’ identity card numbers.

Singapore-based firm PPLingo was fined $74,000, according to a Personal Data Protection Commission (PDPC) judgment released on May 23. It runs online Chinese and English language classes for children aged four to 15.

Some time in April 2022, a hacker obtained an administrator account password of LingoAce – “lingoace123” – via brute force attacks, a method that uses trial and error to crack encryption keys.

The password had remained unchanged for more than two years before the breach.

Using the privileged access of the compromised admin account, the hacker accessed personal data of 557,144 users, among them approximately more than 300,000 minors.

In the subsequent week, the hacker informed the firm that he had accessed LingoAce’s systems and listed personal data of several users in the text to prove this.

However, he did not follow up with any demands.

The commission found that the company had failed to put in place reasonable security arrangements to protect the personal data of its students, parents and staff.

The company was also found liable for not appointing anyone to ensure that it complied with Singapore’s data protection laws.

It appointed a data protection officer only after the data breach, more than five years after the firm was incorporated in 2016.

PDPC found that the firm’s security arrangement to protect personal data was inadequate because it did not have a password policy, apart from requiring a minimum length of eight characters.

As the company’s passwords did not need to be complex and never expired, hackers could easily gain access to the compromised admin account through brute force attacks.

The password was also vulnerable because it was based on the platform’s name and a common sequence of numbers.

The firm had also failed to implement multi-factor authentication for the compromised admin account. This feature has since become a baseline requirement for admin accounts to systems holding confidential, sensitive or large volumes of personal data.

Given factors like the firm’s prompt remedial action, which included notifying affected users, the commissioner determined that the firm would be fined $74,000.

After the firm was informed of the decision in July 2023, it asked for a lower fine because of several considerations, including the fact that the firm had made voluntary notifications about the breach to other data protection authorities in more than 40 other affected locations.

To avoid “double counting”, the firm asked that the commission consider only Singapore-based individuals when assessing the number of people impacted.

These reasons were rejected by the commission, which said that it would not lower the fine even if other data protection authorities meted out penalties for the same case.

PDPC also said that a firm is responsible for all personal data in its possession, not just those of individuals located here.

On May 23, PDPC also announced it had slapped a $28,000 fine on ferry operator Horizon Fast Ferry for a data leak affecting nearly 108,500 people who had booked tickets.

This was the second time that the Singapore-based firm, which provides ferries between Singapore and Batam, had been fined for flouting data protection laws here.

Personal data impacted in the leak included customers’ passport number, date of birth and passport issue as well as expiry date.

In March 2023, Horizon Fast Ferry had received several ransomware e-mails, which revealed that personal data of the firm’s customers had been leaked.

About a month later, the firm informed PDPC of the leak. It also took remedial actions such as engaging a vendor to develop a new website.

The commission found that the firm had failed to implement reasonable security arrangements, including not ensuring that its IT support vendor had staff sufficiently familiar with its operating system.

Editor’s note: This report has been edited for clarity.