SINGAPORE - A local software development company that works with schools here has been slapped with a $60,000 fine for failing to secure the personal information of nearly 48,000 students, parents and staff in 2016.
According to documents released on Thursday (Dec 5) by the Personal Data Protection Commission (PDPC), the company, which provides schools here with attendance-taking technology, had created vulnerabilities in a school's attendance system, allowing hackers to launch a cyber attack and steal the data.
These vulnerabilities created by software company Learnaholic could have been "reasonably averted", said the privacy watchdog. The school affected was not named, but the Straits Times understands that it is a junior college.
Hackers stole data such as names, NRIC numbers, addresses and contact numbers of about 47,800 people. The PDPC said that the medical information of about 370 students was also stolen.
Checks by The Straits Times showed that Learnaholic has taken its website down. Its listed phone number no longer works either.
The fine imposed on the software company is the highest financial penalty the PDPC has issued to an organisation since the $1 million fine slapped on SingHealth and Integrated Health Information Systems in January for a data breach in June last year.
In that breach, the data of 1.5 million patients were compromised.
The PDPC said the hackers in the Learnaholic case were able to get their hands on the data after the company took down a protective firewall to fix an issue with its attendance-taking system. After rectifying the issue, the software company failed to put it back up.
A password-protective measure that should have been in place in the system was also removed when the company was fixing the issue, the PDPC added.
As a result, the hackers got their hands on a file containing the log-in details of a Learnaholic staff member's work e-mail, which they then used to get into the system.
The e-mail contained the personal data that the hackers stole, which the PDPC said was unencrypted.
"The organisation's inadequate security measures were therefore directly responsible for the breach and exfiltration of the Personal Data."
"Any of the individual lapses on their own would have been a cause for concern; combined together, the lapses created the perfect opportunity for any opportunistic hacker armed with basic hacking tools to strike," said the commission.
Following the attack, PDPC said Learnaholic took remedial action, which included changing the passwords for all of its work e-mail accounts and enabling two-factor authentication for these accounts.
The company also deleted all e-mails that held the personal data stolen by the hackers.
Besides Learnaholic, the privacy watchdog said that four other firms were fined for failing to secure the personal data of their customers and staff.
A $12,000 financial penalty was imposed on travel agency The Travel Corporation for not appointing a data protection officer and for failing to protect the personal data of its customers in portable storage devices.
One of its employees had misplaced a portable hard disk, which contained unencrypted files with the personal data of its customers, employees and suppliers.
Troubled retail start-up Honestbee and learning start-up Chizzle were also each fined $8,000.
The PDPC said Honestbee had stored the data of about 8,000 individuals without secure access restrictions, and Chizzle did not put in place reasonable security arrangements to protect the personal data of users of its mobile application.
Separately, business services provider i-vic International was issued a $6,000 fine for not putting in place secure software, which led to the disclosure of personal data of individuals via e-mail.
ST had earlier reported that the amount collected from fines issued by Singapore's privacy watchdog and the number of companies and individuals here who have breached data privacy laws have reached a new annual high.
More than $1.29 million in fines were issued up to September this year, more than the accumulated amount for the previous three years.