A Singapore software development company that works with schools here has been slapped with a $60,000 fine for failing to secure the personal information of nearly 48,000 students, parents and staff in 2016.
According to documents released on Thursday by the Personal Data Protection Commission, the company, which provides schools here with attendance-taking technology, had left vulnerabilities in a school's attendance system, allowing hackers to launch a cyber attack and steal the data.
These vulnerabilities overlooked by software company Learnaholic could have been "reasonably averted", said the privacy watchdog.
The school affected was not named, but The Straits Times understands that it is a junior college.
Hackers stole data such as the names, NRIC numbers, addresses and contact numbers of about 47,800 people. The commission said the medical information of about 370 students was also stolen.
Checks by The Straits Times showed that Learnaholic has taken its website down. Its listed phone number no longer works.
The fine imposed on the software company is the highest financial penalty the commission has issued to an organisation since the $1 million fine slapped on SingHealth and Integrated Health Information Systems in January for a data breach in June last year.
In that breach, the data of 1.5 million patients was compromised.
The commission said the hackers in the Learnaholic case were able to get their hands on the data after the company took down a protective firewall to fix an issue with its attendance-taking system. After rectifying the issue, the software company failed to put the firewall back up.
Approximate number of people whose names, NRIC numbers, addresses and contact numbers were stolen by hackers.
Approximate number of students whose medical information was also stolen.
A password protective measure that should have been in place in the system was also removed when the company was fixing the issue, the commission added.
As a result, the hackers got their hands on a file containing the login details of a Learnaholic staff member's work e-mail account, which they then used to get into the system.
The staff member's e-mail contained the personal data that the hackers stole, which the commission said was unencrypted.
"The organisation's inadequate security measures were therefore directly responsible for the breach and exfiltration of the personal data.
"Any of the individual lapses on their own would have been a cause for concern; combined together, the lapses created the perfect opportunity for any opportunistic hacker armed with basic hacking tools to strike," said the commission.
Following the attack, the commission said Learnaholic took remedial action, which included changing the passwords for all of its work e-mail accounts and enabling two-factor authentication for these accounts.
The company also deleted all e-mails that held the personal data stolen by the hackers.
The Straits Times earlier reported that the amount collected from fines issued by Singapore's privacy watchdog and the number of companies and individuals here who have breached data privacy laws have reached a new annual high.
More than $1.29 million in fines was issued up to September, more than the accumulated amount for the previous three years.
Other firms that got into trouble with privacy watchdog
The Travel Corporation: Fined $12,000 The travel agency was fined for not appointing a data protection officer and for failing to protect the personal data of its customers in portable storage devices.
One of its employees had misplaced a portable hard disk, which contained unencrypted files with the personal data of its customers, employees and suppliers.
Honestbee: Fined $8,000
The troubled retail start-up had stored data of about 8,000 individuals without secure access restrictions.
A spokesman for the company told The Straits Times that its breach of privacy laws was in relation to a file repository that was created for testing purposes in April last year.
Access to these files was limited to those with knowledge of the test, said the spokesman, adding that only technical people with specific knowledge of the vulnerability could have gained access. The data has since been removed and access has been tightened.
Chizzle: Fined $8,000
The learning start-up had not put in place reasonable security arrangements to protect the personal data of users of its mobile application, said the Personal Data Protection Commission. This resulted in the personal data of about 2,200 users, including some users in Singapore, being compromised.
i-vic International: Fined $6,000
Business services provider i-vic International was fined for not putting in place secure software, which led to the disclosure of personal data of individuals via e-mail, said the commission.
Hariz Baharudin and Choo Yun Ting