5.9 million customers hit by RedDoorz data breach

The personal data of nearly 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz was found to have been leaked, in what the Government has called Singapore's largest data breach.

The Personal Data Protection Commission (PDPC) has fined local firm Commeasure, which operates the website, $74,000.

This is much lower than the combined $1 million fine imposed on SingHealth and Integrated Health Information Systems for the 2018 data breach that affected 1.5 million people.

The commission said it had factored in hardship to the hospitality sector caused by the pandemic. "In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic," said the PDPC in a judgment issued last Thursday.

"This is the largest data breach that has occurred since the Personal Data Protection Act came into effect," it added.

RedDoorz said last year that most of the compromised data came from the booking platform's largest market, Indonesia. The company's customers are all from South-east Asia. It is understood about 9,000 of those affected are from Singapore.

The maximum fine now for a data breach is $1 million under the Act.

But firms can soon be fined more - up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. This is slated to take effect some time next year, at the earliest.

The affected data in the Commeasure incident included the customer's name, contact number, e-mail address, date of birth, encrypted password to his RedDoorz account and booking information.

As customer passwords were encrypted, the hackers will not be able to use them unless they find a way to decode the passwords.

The hackers did not access or download customers' masked credit card numbers.

However, with the other personal details leaked, cyber criminals might be able to pose as the victims and try to take over other online accounts, going by what cyber-security experts have said in other incidents. Victims could also be targeted by more phishing attempts.

The stolen data was put up for sale on a hacker forum before it was taken down, reported The Business Times last year.

Commeasure found out about the breach on Sept 19 last year, after it was alerted by an American cyber-security firm. The PDPC was notified on Sept 25.

The hackers likely accessed the firm's database, hosted on an Amazon cloud database, after getting an Amazon Web Services access key.

This key was embedded in an Android application package (APK) created by Commeasure in 2015 and publicly available for download from the Google Play store. The package is used to distribute and install mobile apps, which in this case is the RedDoorz app.

Commeasure wrongly labelled the access key in the APK as a "test key". The APK was eventually regarded as "defunct" by the company. Still, it could be downloaded from Google Play and was removed only after the breach was found.

Since the APK was considered defunct, it was left out when Commeasure engaged a cyber-security company to conduct a security review and tests from September to December 2019. A security tool that could have prevented the hackers from getting the access key was also not used on the APK as a result.

The PDPC said that had the firm examined this APK or the key, the breach could have been prevented.

The commission added that it was not satisfied that the IT security reviews that Commeasure conducted were sufficiently rigorous and met standards under the law.

In arriving at the $74,000 fine, it said it considered factors such as the actions Commeasure took to address the incident. These included allowing only white-listed Internet protocol addresses to access its live databases.

Although the firm conducted periodic security reviews, the PDPC said these efforts were futile as the affected APK was excluded.

Commeasure informed affected customers on Sept 26 last year.