Data of 5.9m customers of RedDoorz hotel booking site leaked in Spore's largest data breach

It is understood that about 9,000 of the affected RedDoorz customers are from Singapore. ST PHOTO: DESMOND WEE

SINGAPORE - The personal data of nearly 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz was found to have been leaked, in what the Government has called Singapore's largest data breach.

The Personal Data Protection Commission (PDPC) has fined local firm Commeasure, which operates the website, $74,000.

This is much lower than the combined $1 million fine imposed on SingHealth and Integrated Health Information Systems for the 2018 data breach which affected 1.5 million people.

The commission said it had considered hardship on the hospitality sector caused by the Covid-19 pandemic.

"In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic," said the PDPC in a judgment issued last Thursday (Nov 11).

"This is the largest data breach that has occurred since the Personal Data Protection Act came into effect."

RedDoorz said last year that most of the compromised data came from the booking platform's largest market, Indonesia. The company's customers are all from South-east Asia.

It is understood that about 9,000 of the affected people are from Singapore.

The maximum fine for a data breach is $1 million now under the Act, which came into force in 2013.

But firms can soon be fined more - up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. The higher fine is slated to take effect at least 12 months from Feb 1 this year.

The affected data in the Commeasure incident included the customer's name, contact number, e-mail address, date of birth, encrypted password to his RedDoorz account and booking information.

As customer passwords were encrypted, the hackers will not be able to use them unless they find a way to decode the passwords. This reduces the likelihood of the crooks being able to use the passwords to hack into victims' RedDoorz accounts.

The hackers did not access or download customers' masked credit card numbers.

However, with the other personal details breached, cyber criminals might be able to pose as the victims and try to take over other online accounts that use similar details, going by what cyber-security experts have said in other incidents.

It also means that the victims could be targeted by more spam messages and phishing attempts.

The stolen data was put up for sale on a hacker forum before it was taken down, reported The Business Times last year.

Commeasure found out about the breach on Sept 19 last year, after an American cyber-security firm alerted the company.

PDPC was notified on Sept 25.

The hackers had likely accessed the company's database hosted on an Amazon cloud database after getting an Amazon Web Services access key.

This key was embedded in an Android application package (APK) created by Commeasure in 2015 and publicly available for download from the Google Play store.

The package is used by Google's Android operating system to distribute and install mobile apps. The APK in question here is for installing the RedDoorz app.

The move by Commeasure to include the access key in the APK is against Amazon Web Service's advice to not embed access keys directly into code.

Commeasure wrongly labelled the access key in the APK as a "test key" too. The APK was also eventually regarded as "defunct" by the company. Even so, it could still be downloaded from Google Play and was only removed after the data breach was discovered.

Since the APK was considered defunct, it was left out when Commeasure engaged a cyber-security company to conduct a security review and tests from September to December 2019.

A security tool that could have prevented the hackers from getting the access key was also not used on the APK since it was considered defunct.

All the developers, except one of the organisation's co-founders and the chief technology officer, have since left the company.

PDPC said that had the company examined this APK or the access key, the data breach could have been prevented.

"The organisation's failure to include the affected APK and the... access key within the scope of the security review arose because of the organisation's negligence to include them in its inventory of IT assets in production," said the commission.

PDPC added that it was not satisfied that the IT security reviews that Commeasure conducted were sufficiently rigorous and met standards under the law.

In arriving at the $74,000 fine, the commission said it also considered factors such as the actions Commeasure took to address the incident. These included only allowing white-listed Internet Protocol addresses to access its live databases and having two-factor authentication in place for all the tools and accounts used by developers.

PDPC also said although the company conducted periodic security reviews, these efforts were futile since the affected APK was not included.

Commeasure informed affected customers on Sept 26 last year of the breach and advised them to change their RedDoorz account passwords as a precaution and avoid using the same passwords on other online platforms.

Join ST's Telegram channel and get the latest breaking news delivered to you.