SINGAPORE - Home-grown fashion label Love, Bonito has been fined $24,000 over a 2019 data breach which saw personal information of more than 5,500 customers compromised.
It had failed to put in place reasonable security arrangements to protect the personal data, which included customers' first and last names, phone numbers and credit card details, said the Personal Data Protection Commission (PDPC) in its written decision published last Thursday (May 19).
The data breach involved an administrator account of a software used by Love, Bonito to manage its e-commerce website, which was utilised by an unknown third party to access and obtain customers' personal data.
The account was also likely used to add an unauthorised programming code to the website, according to investigations by the firm, its digital solutions providers and a private forensic investigator.
The code would run whenever customers accessed the "check-out" page on the website to pay for their orders, causing their credit card data to be transferred to the third party instead of the payment platform used by Love, Bonito.
In late November 2019, the company noticed a significant drop in credit card authorisations for payments via the platform and discovered that the "check-out" page had been incorrectly configured.
It implemented a fix to allow the processing of credit card payments to resume through the platform.
However, the same issue recurred in early December 2019 and the firm disabled the credit card payment function on the "check-out" page.
Subsequent investigations uncovered the code and the unauthorised use of the administrator account by the unknown third party.
A previous report by The Straits Times said Love, Bonito had informed its online customers via e-mail on Dec 13, 2019.
A company spokesman had told ST at the time that a "small number" of its customers were affected. It is not known how many registered online customers the firm has.
The PDPC said in its written decision that Love, Bonito's password policy - for the website management software accounts - was inadequate.
The firm had adopted the software's default security settings, such as having a required password length and an account lockout after a number of failed login attempts.
But more robust and stringent measures were required, said the PDPC, which noted that Love, Bonito did not mandate periodic changes of passwords.
The software's default security settings also did not require the company's employees to refrain from using passwords that can be easily guessed.
The PDPC said that the password of the administrator account - "ilovebonito88" - incorporated the firm's name, which made it easy to guess and vulnerable to brute-force attacks, a common method of guessing passwords by systematically trying every possible combination of letters, numbers and symbols.
It also noted other significant weaknesses in the company's IT systems which could have been exploited by malicious third parties to gain access to the website's management software.
These included the lack of security monitoring for the Love, Bonito's network as well as its systems not being maintained or patched.
The maximum fine a company can face for a data breach is $1 million.