Tuition agency, owner of home services website fined over leaks of personal data

ChampionTutor Inc was fined $10,000 over the leak of 4,625 students' names, contact numbers and addresses which were sold on the Dark Web.
ChampionTutor Inc was fined $10,000 over the leak of 4,625 students' names, contact numbers and addresses which were sold on the Dark Web.ST PHOTO: KELVIN CHNG

SINGAPORE - Home tuition agency ChampionTutor was fined $10,000 for failing to secure the personal data of 4,625 students, in what is its second fine in about two years over data lapses.

The agency has more than 10 years of experience in matching students with tutors in Singapore.

It had failed to fix a security flaw on its website, which led to information - such as names, contact numbers and addresses of students - being leaked and sold on the Dark Web, said the Personal Data Protection Commission (PDPC) in a summary of its decision issued last Thursday (Oct 14).

Another company, Stylez, was fined $37,500 over the leak of the personal data of 9,983 individuals.

Stylez operated local quotation and service comparison portal iCompare.sg. The portal, which promoted various services such as wedding photography, home loans and movers, has since been taken down.

The leak involved the portal’s records of its renovation and interior design clients between 2009 and 2016, comprising their names, e-mail addresses and phone numbers.

The Straits Times reported on Dec 25, 2019, that some of the data was posted on the Dark Web, next to what appeared to be hacked documents on American military tanks, Netflix passwords and national identification data of Turkish nationals.

The information posted also included office addresses, quotations and customer inquiries to at least 60 companies.

In the written grounds of its decision issued last Thursday, the PDPC said the leaked data had been used for a new database created by Stylez in July 2016 to test a new function for iCompare.sg.

But the company had failed to implement "reasonable" security arrangements to protect the personal data in the database.

This included storing the database in a publicly accessible directory on a cloud server - which meant it could be discovered and accessed via Internet search engines - and in an unencrypted format for more than 2½ years.

"Investigations revealed that the data exposed... was accessed and exfiltrated from the (database) some time before December 2019," said the PDPC.

But the portal's other databases were hosted on servers leased from a different cloud service provider and were unaffected.

The PDPC also found that Stylez had failed to develop and implement any internal data protection policies that corresponded to what it had communicated to its then existing and prospective customers.

"In fact, no such guidelines or procedures were implemented, and this made what was communicated to (Stylez's) customers and prospective customers effectively an empty promise," said the PDPC.

"While (Stylez) claimed that it had relied on verbal reminders to inform its staff on the importance of data protection, these reminders were undocumented and, in any event, inadequate."

In the case of ChampionTutor, the PDPC said the firm knew about the security flaw when it conducted a test in December last year.

The company then instructed its India-based developer, which was not named by the PDPC, to fix the vulnerability.

But the developer did not respond, and the tuition agency did not do anything else to fix the flaw.

The PDPC said it received information on Feb 24 this year that the company's database was being sold on the Dark Web.

It later notified the tuition agency, which was unaware of the leak.

The tuition agency has since engaged a new team of developers and is revamping its entire website source code to reduce possible vulnerabilities.

In 2019, it was fined $5,000 by the PDPC after a list containing the names, contact numbers and e-mail addresses of 4,899 individuals was leaked.

At the time, ChampionTutor did not have any data protection officer and had failed to implement any internal data protection policies, both of which are mandatory under the law.