SINGAPORE - Real estate firm OrangeTee & Tie has been fined $37,000 after the Personal Data Protection Commission (PDPC) found that the information of more than 250,000 customers, employees and agents had been compromised.
In a written judgment on Monday, the PDPC said OrangeTee & Tie had breached the protection obligation it had to sufficiently assess the security risks in the way it handled users’ personal data, and that it had failed to conduct reasonable security reviews.
In August 2021, names, bank account numbers, NRIC and passport numbers, and property transaction and commission amounts were extracted from OrangeTee & Tie’s outdated database servers by hacking group Altdos.
The group demanded a ransom of 10 bitcoins from the firm for the safety and non-disclosure of the databases. It also claimed to have hacked OrangeTee & Tie’s network since June 2021 and stolen “hundreds of databases”.
OrangeTee & Tie then filed a police report. It also reported the incident to a division under the Cyber Security Agency of Singapore.
When the hacking group did not receive the ransom, it carried out a distributed denial-of-service attack – which floods a server with traffic – that brought down OrangeTee & Tie’s network.
It also sent another ransom demand through e-mail and messaging platform WhatsApp to some of the firm’s employees.
OrangeTee & Tie engaged a private forensic expert who found that the hackers had extracted personal data sets from 11 databases, contrary to its claim.
In total, 256,583 people were affected by the data breach, most of them customers of OrangeTee & Tie.
The PDPC said OrangeTee & Tie had used “live” production data, which included personal data, for development and testing without having sufficiently robust processes to ensure it is protected.
It said the company should have conducted a security assessment and used synthetic data, or information that is artificially generated, instead.
The property firm also failed to conduct reasonable periodic security reviews of its servers – a standard practice that would have detected vulnerabilities arising from outdated software, the PDPC added.
Two database servers were connected to Internet-facing Web servers and that exposed the personal data to security risks.
OrangeTee & Tie did not recognise the risks posed by the outdated software and did not take steps to ensure that all Internet-facing servers were adequately protected, the PDPC said.
The firm subsequently admitted that it did not consider the need for such security reviews in its information technology security policy.
In determining the financial penalty, the PDPC noted mitigating factors such as prompt remedial actions taken by the firm and its cooperation during investigations.
The PDPC added that while names and property transaction amounts were compromised, it did not consider these categories to be highly sensitive as such information can be found to a certain extent in the public domain.
For instance, property transaction amounts can be found via a search on the Urban Redevelopment Authority website for caveats lodged.
In response to queries from The Straits Times, an OrangeTee & Tie spokesman said: “While we are heartened that the authorities noted our prompt remedial actions, which included notifying affected individuals, OrangeTee takes this matter seriously.”
The spokesman said the firm has ramped up network and data security, and heightened its defence against future attacks.
“We are confident of our reinforced security measures and will work hard to maintain our clients’ trust in our IT network.”
In February, the login credentials of about 1,200 people representing various organisations that use the services of ST Telemedia’s data centre operator were leaked onto a hackers’ forum.
A data breach in October 2022 at Carousell also exposed the personal information of 1.95 million users – about 39 per cent of the online marketplace’s user accounts in Singapore. ST reported then that a database of user accounts, believed to be from the Carousell leak, was being sold on the Dark Web and hacking forums.
