SINGAPORE - GeniusU, a Singapore-based education technology company, has been fined $35,000 for a data breach that resulted in the theft of 1.26 million users' personal data.

The incident is one of the largest data breaches here in recent years, in terms of the number of users affected.

The largest breach to date affected nearly 5.9 million South-east Asian customers of hotel booking site RedDoorz in late 2020. It was fined $74,000 by the Personal Data Protection Commission (PDPC), Singapore’s privacy watchdog.

Before that, SingHealth and Integrated Health Information Systems were fined a combined $1 million for a 2018 incident that affected 1.5 million people.

While the number of users affected is significant, the GeniusU leak did not include more sensitive information like financial or health data, noted lawyer Nathanael Lim, who specialises in technology law at the firm Reed Smith.

“The fine levied may appear to be on the lower end of the scale considering the number of users affected, but it is clear the PDPC also considered GeniusU’s voluntary admission and cooperation, as well as its swift remedial actions,” he said.
“Organisations should take note of this in the event of any data breach.”

In a written decision published on Thursday (April 21), the PDPC said GeniusU had failed to put in place reasonable security arrangements to prevent the unauthorised access and theft of users' personal data, including first and last names, e-mail addresses, location information and last sign-in IP addresses.

GeniusU notified the PDPC of the incident on Jan 12, 2021.

The day before, GeniusU's head of product at the time, Ms Kathleen Hamilton, had acknowledged the breach in a post on the company's website.

She had said GeniusU's support team was made aware of the incident on Jan 9 last year, adding that the breach appeared to have occurred in early November 2020.

Internal investigations by GeniusU found that the breach was likely caused by a compromised account belonging to one of its developers.

The login credentials to a GeniusU database containing the personal data had been stored in code hosted on GitHub, a software development platform.

The developer had either used a weak GitHub password, or had his password compromised.

Criminals then found the login credentials using his GitHub account, gained access to the GeniusU database and stole the data.

The PDPC also noted that the stolen data had been stored in a testing environment, or a system used for testing code.

It added that real personal data should not be stored in testing environments as they are known to be less secure than production environments, or the actual live systems that platforms operate on.

Following the incident, GeniusU refreshed the login credentials to the breached database, removed all hard-coded credentials from its code on GitHub and cleared existing login sessions.

It also removed all personal data from non-production environment servers, and implemented multi-factor authentication for all work-related accounts, as well as a standardised cyber-security policy and related procedures for all staff.

Besides notifying the PDPC of the breach, GeniusU also notified its users and the General Data Protection Regulation (GDPR) authority in Ireland.

In deciding the appropriate fine, the PDPC took into consideration the fact that GeniusU had voluntarily disclosed the incident and admitted its liability, as well as its prompt remedial actions.

GeniusU has over 2.7 million members, according to its website. It is unclear how many of the affected users are based in Singapore.

The Straits Times has contacted GeniusU for comment.

Separately, the PDPC on Thursday also fined Trinity Christian Centre $20,000 for similarly breaching its data protection obligations.

On or around Feb 17, 2021, the church was hit by a ransomware attack on a server containing 72,285 individuals' data, including that of about 8,300 minors.

The types of data on the server included names, full identification numbers, residential addresses, contact numbers, e-mail addresses, photographs, dates of birth, ages, marital statuses, education levels and descriptions of medical conditions gathered during counselling sessions, but the church's investigations did not find evidence that the data had been stolen.

The culprit had exploited an unsecured remote access protocol and accessed the church's network using a compromised administrator account that had previously been assigned to an IT vendor for developing and testing applications.

The ransomware attack rendered the server inaccessible, but the church managed to restore the affected database using back-up copies.

Trinity Christian Centre notified the PDPC on March 11 last year, and notified church members on April 8 last year.

The church also changed all user and administrator passwords, closed the gaps in its remote access protocols and restricted administrator-level access to its servers and workstations.

A security review was conducted and the church implemented real-time threat monitoring, detection and response measures.

The PDPC noted the sensitive nature of the affected data and said the church had failed to stipulate data protection requirements in its contract with the vendor, thereby breaching the PDPA.

The authority considered, as mitigating factors, the church's upfront admission of the breach, its prompt remedial actions and the fact that no evidence suggested the data had been stolen.