CASE ‘committed’ to safeguarding consumers’ data, after S$20,000 fine over breaches


SINGAPORE: The Consumers’ Association of Singapore (CASE) said on Friday (Aug 30) it is committed to safeguarding consumers’ data, after it was fined S$20,000 (US$15,350) by the Personal Data Protection Commission (PDPC).

The personal data of over 12,000 individuals and more than 22,000 e-mail addresses were possibly compromised in two separate data breach incidents involving CASE.

In a judgement published by PDPC on Wednesday,  Singapore’s privacy watchdog said CASE breached its obligations under the Personal Data Protection Act (PDPA) to protect personal data in its possession.

It also failed to develop and implement policies and practices that are necessary to meet its obligations under the PDPA.

The consumer watchdog acknowledged the breaches and accepted the S$20,000 fine, adding it is “committed to safeguarding consumers’ data”.

CASE added it has complied with PDPC’s directives to update its personal data protection policies and to rectify security gaps.

“We will continually review our systems and practices to prevent a recurrence of such incidents.” 

WHAT HAPPENED 

In the first incident on Oct 8 and Oct 9, 2022, a number of CASE consumers received unsolicited phishing emails from two official addresses belonging to the consumer watchdog.

They were informed their complaints had been escalated to the “collections and compensation department” and were eligible for a compensation payout. 

The affected consumers were directed to click on a chat icon to fill in their banking details to complete the payment process.

The emails came from an account used to communicate with consumers who lodge complaints on CASE’s website.

Similar emails were sent via an account used to communicate with consumers whose complaints were escalated to mediation. 

CASE notified PDPC there had been a data breach incident involving a threat actor on Oct 11, 2022. A threat actor is an individual or group that intentionally causes harm to digital devices or systems.

CASE received complaints of more phishing emails that had been sent from addresses which did not originate from its domain in January and February 2023.

The affected consumers’ emails were “likely harvested” by the threat actor during the course of the first incident, PDPC said.

A total of 5,205 phishing emails were sent to 4,945 recipients, with the privacy watchdog noting that up to 22,542 addresses were exposed to “harvesting” by the threat actor.

Three affected consumers informed CASE they had interacted with the phishing emails, allegedly resulting in monetary losses of S$217,000 in total. A police report has since been made.

CASE engaged a private forensic expert to ascertain the cause and extent of the first incident, and it found that the threat actor had successfully signed into the affected accounts using the correct login credentials.

It also found that the correct login credentials were obtained from a successful phishing attack on an employee of CASE.

Also, some of CASE’s computers were “running on end-of-life operating systems, and had vulnerable software with unapplied upgrades or security patches”, which put it at risk of remote code execution vulnerability, according to the judgment. 

SECOND INCIDENT

In June 2023, PDPC received a complaint from a CASE consumer as investigations into the first incident were ongoing.

The complainant had received a targeted phishing email sent by an email address which did not originate from CASE’s domain.

CASE was later informed of more such occurrences, with 28 individuals telling the watchdog that they had received phishing emails.

PDPC investigations could not come to a “definitive conclusion” regarding how the data breach in the second incident occurred.

However, the commission concluded that it “likely occurred” during a data migration exercise conducted by CASE sometime between Dec 24, 2019, and Jan 1, 2020 as it switched IT vendors.

PDPC noted that the personal data of about 12,218 individuals involved in the data migration exercise was put at risk of unauthorised access and 
exfiltration. 

The data included email addresses, contact numbers, names and details of complaints made.

Affected consumers did not suffer any monetary losses in the second incident.



Source link