SINGAPORE - Virtual currency exchange operator Quoine has been fined $67,000 for failing to protect the personal data of more than 650,000 customers, in what is believed to be the first breach of the Personal Data Protection Act (PDPA) involving a cryptocurrency firm here.

The stolen data included full names, addresses, e-mail addresses, phone numbers and various kinds of documents such as photos and scans of NRICs and passports belonging to the customers.

Financial information about Quoine's Japanese customers, as well as transaction information and bank account details, were also leaked.

In a written decision published last Thursday (Jul 14), Singapore's privacy watchdog said Quoine had failed to review and assess the security implications and risks of a development and operations (DevOps) account used by a criminal to access the data.

The company had also failed to implement reasonable controls for the account, the Personal Data Protection Commission (PDPC) added.

Quoine, which operates crypto exchange Liquid, collected and stored data for the purpose of know-your-client (KYC) checks.

It used a cloud computing platform provided by a vendor to run its cryptocurrency exchange and a cloud computing database. It also used a cloud computing storage service provided by another vendor to store the KYC documents.

The breach occurred in November 2020 after a staff member at a third-party domain provider engaged by Quoine fell for a social engineering attack and incorrectly transferred control of the domain hosting account to the culprit.

A domain provider allows one to purchase and register a website domain name, which was quoine.com in Quoine's case.

PDPC did not specify what kind of social engineering attack was used, but this often entails tricking people into giving up information through methods like phishing e-mails.

The culprit was able to change the registered e-mail address on the domain hosting account and take control after resetting the password.

This enabled the culprit to change the configuration of Quoine's e-mail service and redirect all of its e-mails to another server, including many security alerts and notifications.

The culprit then reset the password to one of Quoine's DevOps accounts, which was mainly used for automation tasks, meaning human employees did not regularly use the account. The DevOps account was then used to access Quoine's cloud databases and steal the customer data inside.

Even though the initial breach occurred at the company's third-party domain provider, the PDPC found that Quoine bore responsibility for the poor security of the DevOps account.

"The organisation suggested that the DevOps account's security risk profile had not been assessed, probably due to its intended use as an automation account. This was not accepted," the commission said.

"The organisation is not exempted from assessing the security implications and risks of the DevOps account simply on the basis that it was an automation account, especially considering that the DevOps account could be used to access the customer data stored in the databases."

Following the incident, Quoine notified its customers of the breach and advised them to take actions to secure their accounts and check for suspicious activities.

It also moved its domains to a more robust service provider with stronger access controls, including mandatory two-factor authentication.

Quoine also migrated its Liquid exchange to a different vendor's cloud platform and implemented additional safeguards such as IP address whitelist restrictions, which ensures certain accounts can only be logged into from specific networks.

In deciding the penalty, PDPC said it took into account mitigating factors, such as how Quoine took prompt remedial actions, including notifying the affected individuals. It was cooperative during investigations and voluntarily accepted liability for the incident, the commission added.