Chan Brothers Travel under investigation by privacy watchdog after personal data found to be insecure

A Chan Brothers Travel spokesman said it is progressively contacting affected customers. PHOTO: ST FILE

SINGAPORE - Travel agency Chan Brothers Travel is being investigated by Singapore's privacy watchdog after the personal data of more than 500 of its customers was found to be publicly accessible.

Screenshots provided by a tip-off seen by The Straits Times showed that the website exposed data such as names, NRIC numbers, passport numbers and travel plans of Chan Brothers Travel's customers.

The Personal Data Protection Commission (PDPC) said on Friday (May 24) that it has been notified of the incident and is investigating.

Responding to ST queries, a spokesman for the travel agency said that it takes full responsibility for the incident and that it was notified of the vulnerabilities on Thursday.

It is currently working with its vendor, Aodigy Asia Pacific, to ascertain the cause of the data exposure.

"Upon notification of the vulnerabilities, we immediately took action to address the matter including containing the extent of vulnerabilities, assessing the extent of impact and reporting the incident to PDPC," the spokesman said.

"Some of the measures undertaken require continual monitoring, review and action, as it involves information that has been publicly cached. We have shut down the site meanwhile."

When ST visited the website on Friday, some of the data could still be publicly accessed via cached versions of the site, which are temporarily available versions of websites.

When asked if Chan Brothers Travel had informed any of the affected customers, the spokesman said it was progressively contacting affected customers.

"We are currently investigating this matter and ascertaining the extent and nature of information that was revealed. We would like to assure our customers that no sensitive financial and booking information was revealed," she said.

"That said, we recognise that no personal data should be exposed at all in any manner and that it is our responsibility and priority to protect our customers' personal data."

Co-founder of local fintech start-up Factors Platform Andrew Goh informed ST of the insecure data. He had come across it as he was in the midst of gathering datasets for his work.

He discovered that he could look up client inquiries and post-tour surveys on the Chan Brothers Travel site, which contained the personal information.

Said Mr Goh: "I have found close to 500 entries in aggregate (inquiries and surveys), close to 450 of them are unique clients."

He said he had found the data on Wednesday evening and decided to go down to the travel agency's office the next day to notify them about the issue.

There, he met its IT director, who, he said, told him that the issue would be sorted out.

Later on Thursday, Mr Goh said a Chan Brothers Travel staff member called him to inform him that the problem has been fixed.

But when Mr Goh checked again in the evening, the data was still publicly accessible.

The Chan Brothers spokesman said Mr Goh was still able to view the information that evening as it "was stored in cached pages by the search engines' servers".

When asked what recourse Chan Brother will be providing its customers, its spokesman said that it will be "(addressing) their individual concerns personally".

Reports have quoted Chan Brothers Travel as saying two years ago that it had formed a data protection team and enhanced IT security notifications for its customers.

An advertorial in The Business Times from Chan Brothers Travel said: "The IT team is also in charge of regularly reviewing the agency's IT security polices and keeping up with the latest trends in cyber security, so that sufficient measures are in place to secure the company's online transactions.

"Existing measures such as secured login, automated logout mechanisms and systematic updates of firewalls, to name a few, are constantly updated with the latest patches to ensure there are no loopholes in safeguarding customers' data."

This latest breach comes after news last week that the PDPC was investigating a breach of the Singapore Red Cross website which compromised the personal data of more than 4,200 people, including their full names, contact numbers and e-mail addresses.

On Thursday, the PDPC announced that organisations which expedite its processes by admitting their role in a data breach and pleading guilty to it, may receive a lower financial penalty if the cause is a common breach.

The commission added that organisations could also avoid a full investigation by requesting an undertaking option from the PDPC, in the case of a data breach.

Join ST's Telegram channel and get the latest breaking news delivered to you.