Singapore Privacy Commissioner imposes $35,000 financial penalty for failing to put in place reasonable data security which resulted in data breach involving theft of 1.26 million users personal information.
April 27, 2022 |
The Singapore Personal Data Protection Commission has imposed a $35,000 fine on GeniusU for failing to prevent unauthorised access and exfiltration of personal information of 1.26 million. It is a significant data breach for Singapore in terms of numbers of individuals affected. Singapore has a population of a little over 5 million.
As is all too common there were more than one mistake in GeniusU’s cyber security set up. The likely entry was through the use of a developer’s password. Once in it was easy to exfiltrate the data. It was stored in the codebase of its GitHub environment.
The decision summary relevantly provides:
- On 12 January 2021, GeniusU Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of unauthorized access and exfiltration of a staging application database (the “Database”)
holding personal data (the “Incident”). - The personal data of approximately 1.26 million users were affected. The datasets affected comprised first and last name, email address, location and last sign-in IP address.
- The Organisation’s internal investigations revealed that the likely cause of the Incident was compromise of one of its developer’s password, either because the developer used a weak password for his GitHub account or the password for his GitHub account had been compromised. This allowed the threat actor to enter the Organisation’s GitHub environment. As the Organisation had stored the login credentials to the Database in the codebase in its GitHub environment, the threat actor was able to gain access to and exfiltrate personal data stored in the Database.
- The Organisation took the following remedial measures after the Incident:
a. Rotated the credentials of the Database;
b. Removed all hard-coded credentials from the codebase;
c. Purged all existing website sessions;
d. Removed all personal data from non-production environment servers,
e. Implemented multi-factor authentication on all work-related accounts;
f. Implemented a standardised cyber security policy and related procedures
for all staff; and
g. Notified users and the GDPR data authority (Ireland) of the Incident. - The Commission accepted the Organisation’s request for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation had voluntarily provided and unequivocally admitted to the facts set out in this decision. The Organisation also admitted that it was in
breach of section 24 of the Personal Data Protection Act (the “PDPA”). - Based on its admissions, the Organisation had breached the Protection Obligation by:
a. Storing credentials for the Database in the codebase in its GitHub environment. This meant that once the threat actor was able to access the GitHub environment, he was able to discover the credentials to access personal data stored in the Database; and
b. Storing actual personal data in the Database that was in a nonproduction (testing) environment, which are usually not as secure as production environments. Actual personal data should not be stored in testing environments, which are known to be less secure. - In the circumstances, the Organisation is found to be in breach of section 24 of the PDPA.
- Having considered the circumstances set out above and the factors listed at section 48J(6) of the PDPA and the circumstances of the case, including (i) the Organisation’s upfront voluntary admission of liability which significantly reduced the time and resources required for investigations; and (ii) the prompt remedial actions undertaken by the Organisation, the Organisation is given a notice to pay a financial penalty of $35,000.
- The Organisation must make payment of the financial penalty within 30 days from the notice accompanying date this decision, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full.
- In view of the remedial actions taken by the Organisation, the Commission will not issue any directions under section 48I of the PDPA.
The Straits Times report on it provides:
SINGAPORE – GeniusU, a Singapore-based education technology company, has been fined $35,000 for a data breach that resulted in the theft of 1.26 million users’ personal data.
The incident is one of the largest data breaches here in recent years, in terms of the number of users affected.
The largest breach to date affected nearly 5.9 million South-east Asian customers of hotel booking site RedDoorz in late 2020. It was fined $74,000 by the Personal Data Protection Commission (PDPC), Singapore’s privacy watchdog.
Before that, SingHealth and Integrated Health Information Systems were fined a combined $1 million for a 2018 incident that affected 1.5 million people.
While the number of users affected is significant, the GeniusU leak did not include more sensitive information like financial or health data, noted lawyer Nathanael Lim, who specialises in technology law at the firm Reed Smith.
“The fine levied may appear to be on the lower end of the scale considering the number of users affected, but it is clear the PDPC also considered GeniusU’s voluntary admission and cooperation, as well as its swift remedial actions,” he said.
“Organisations should take note of this in the event of any data breach.”
In a written decision published on Thursday (April 21), the PDPC said GeniusU had failed to put in place reasonable security arrangements to prevent the unauthorised access and theft of users’ personal data, including first and last names, e-mail addresses, location information and last sign-in IP addresses.
GeniusU notified the PDPC of the incident on Jan 12, 2021.
The day before, GeniusU’s head of product at the time, Ms Kathleen Hamilton, had acknowledged the breach in a post on the company’s website.
She had said GeniusU’s support team was made aware of the incident on Jan 9 last year, adding that the breach appeared to have occurred in early November 2020.
Internal investigations by GeniusU found that the breach was likely caused by a compromised account belonging to one of its developers.
The login credentials to a GeniusU database containing the personal data had been stored in code hosted on GitHub, a software development platform.
The developer had either used a weak GitHub password, or had his password compromised.
Criminals then found the login credentials using his GitHub account, gained access to the GeniusU database and stole the data.
The PDPC also noted that the stolen data had been stored in a testing environment, or a system used for testing code.
It added that real personal data should not be stored in testing environments as they are known to be less secure than production environments, or the actual live systems that platforms operate on.
Following the incident, GeniusU refreshed the login credentials to the breached database, removed all hard-coded credentials from its code on GitHub and cleared existing login sessions.
It also removed all personal data from non-production environment servers, and implemented multi-factor authentication for all work-related accounts, as well as a standardised cyber-security policy and related procedures for all staff.
Besides notifying the PDPC of the breach, GeniusU also notified its users and the General Data Protection Regulation (GDPR) authority in Ireland.
In deciding the appropriate fine, the PDPC took into consideration the fact that GeniusU had voluntarily disclosed the incident and admitted its liability, as well as its prompt remedial actions.
GeniusU has over 2.7 million members, according to its website. It is unclear how many of the affected users are based in Singapore.
The Straits Times has contacted GeniusU for comment.
Separately, the PDPC on Thursday also fined Trinity Christian Centre $20,000 for similarly breaching its data protection obligations.
On or around Feb 17, 2021, the church was hit by a ransomware attack on a server containing 72,285 individuals’ data, including that of about 8,300 minors.
The types of data on the server included names, full identification numbers, residential addresses, contact numbers, e-mail addresses, photographs, dates of birth, ages, marital statuses, education levels and descriptions of medical conditions gathered during counselling sessions, but the church’s investigations did not find evidence that the data had been stolen.
The culprit had exploited an unsecured remote access protocol and accessed the church’s network using a compromised administrator account that had previously been assigned to an IT vendor for developing and testing applications.
The ransomware attack rendered the server inaccessible, but the church managed to restore the affected database using back-up copies.
Trinity Christian Centre notified the PDPC on March 11 last year, and notified church members on April 8 last year.
The church also changed all user and administrator passwords, closed the gaps in its remote access protocols and restricted administrator-level access to its servers and workstations.
A security review was conducted and the church implemented real-time threat monitoring, detection and response measures.
The PDPC noted the sensitive nature of the affected data and said the church had failed to stipulate data protection requirements in its contract with the vendor, thereby breaching the PDPA.
The authority considered, as mitigating factors, the church’s upfront admission of the breach, its prompt remedial actions and the fact that no evidence suggested the data had been stolen.