Software firm fined 74k for data breach caused by weak password half a million users affected The Straits Times
pSINGAPORE A company running online language lessons for children around the world used a password based on its website name LingoAce making it vulnerable to the data breach that resulted ppMore than half a million users comprising the companys students parents teachers and other staff were affected ppAmong personal data compromised were the cellphone numbers bank account numbers signatures and Chinese nationals identity card numbers ppSingaporebased firm PPLingo was fined 74000 according to a Personal Data Protection Commission PDPC judgment released on May 23 It runs online Chinese and English language classes for children aged four to 15ppSome time in April 2022 a hacker obtained an administrator account password of LingoAce lingoace123 via brute force attacks a method that uses trial and error to crack encryption keysppThe password had remained unchanged for more than two years before the breachppUsing the privileged access of the compromised admin account the hacker accessed personal data of 557144 users among them approximately more than 300000 minorsppIn the subsequent week the hacker informed the firm that he had accessed LingoAces systems and listed personal data of several users in the text to prove thisppHowever he did not follow up with any demandsppThe commission found that the company had failed to put in place reasonable security arrangements to protect the personal data of its students parents and staffppThe company was also found liable for not appointing anyone to ensure that it complied with Singapores data protection lawsppIt appointed a data protection officer only after the data breach more than five years after the firm was incorporated in 2016ppPDPC found that the firms security arrangement to protect personal data was inadequate because it did not have a password policy apart from requiring a minimum length of eight charactersppAs the companys passwords did not need to be complex and never expired hackers could easily gain access to the compromised admin account through brute force attacksppThe password was also vulnerable because it was based on the platforms name and a common sequence of numbersppThe firm had also failed to implement multifactor authentication for the compromised admin account This feature has since become a baseline requirement for admin accounts to systems holding confidential sensitive or large volumes of personal datappGiven factors like the firms prompt remedial action which included notifying affected users the commissioner determined that the firm would be fined 74000ppAfter the firm was informed of the decision in July 2023 it asked for a lower fine because of several considerations including the fact that the firm had made voluntary notifications about the breach to other data protection authorities in more than 40 other affected locationsppTo avoid double counting the firm asked that the commission consider only Singaporebased individuals when assessing the number of people impactedppThese reasons were rejected by the commission which said that it would not lower the fine even if other data protection authorities meted out penalties for the same caseppPDPC also said that a firm is responsible for all personal data in its possession not just those of individuals located hereppOn May 23 PDPC also announced it had slapped a 28000 fine on ferry operator Horizon Fast Ferry for a data leak affecting nearly 108500 people who had booked ticketsppThis was the second time that the Singaporebased firm which provides ferries between Singapore and Batam had been fined for flouting data protection laws hereppPersonal data impacted in the leak included customers passport number date of birth and passport issue as well as expiry dateppIn March 2023 Horizon Fast Ferry had received several ransomware emails which revealed that personal data of the firms customers had been leakedppAbout a month later the firm informed PDPC of the leak It also took remedial actions such as engaging a vendor to develop a new websiteppThe commission found that the firm had failed to implement reasonable security arrangements including not ensuring that its IT support vendor had staff sufficiently familiar with its operating systemppEditors note This report has been edited for clarityppJoin STs WhatsApp Channel and get the latest news and mustreadsppRead 3 articles and stand to win rewardsppSpin the wheel nowppMCI P 066102023 Published by SPH Media Limited Co Regn No 202120748H Copyright 2024 SPH Media Limited All rights reservedp