Data breach at RedDoorz hit 6m customers; hospitality platform fined S$74,000
This is the largest data breach incident since Singapore's Personal Data Protection Act came into force.
Hospitality platform RedDoorz was found to have compromised the security of 5.9 million customer records in the largest data breach incident since Singapore's Personal Data Protection Act (PDPA) came into force.
RedDoorz, a loss-making startup fuelled by venture capital, was fined S$74,000 in September for failing to prevent the external access and exfiltration of the data. The decision was published by the Personal Data Protection Commission (PDPC) on Thursday (Nov 11).
Millions of user records appeared to be advertised for sale on underground forums in September and October 2020 following the breach, The Business Times reported last December. The posts were later removed and the database was no longer available for purchase.
Formal investigations showed compromised records include the customer's name, contact number, email address, date of birth, a hashed password and their booking information. Masked credit card numbers were not accessed or downloaded.
The records were hosted in an Amazon cloud database. One or more threat actors likely obtained an access key embedded within an Android application package (APK), created by RedDoorz in 2015, that anyone could download from the Google Play Store.
An APK is a file format used by the Android operating system for the distribution and installation of mobile apps.
The APK and Amazon Web Services (AWS) access key were left out of RedDoorz's security reviews after the company wrongly labelled the APK as "defunct" and the access key as a "test" key.
RedDoorz blamed its failure to manage its inventory of infrastructure access keys on its high turnover of employees over the past few years. PDPC's deputy commissioner Yeong Zee Kin called the explanation unacceptable.
"The organisation's responsibility to protect personal data in its control or possession commences ought not to have been subjected to staff movement or appointment," he said.
AWS also cautioned users not to "embed access keys directly into code", which was what RedDoorz had done.
Yeong said a lengthy period of 2 years and 9 months passed from the time RedDoorz made its last update to the APK in January 2018 to when the company found out about the data breach last September.
In deliberating the financial penalty to be meted out, the Commission took into account several mitigating factors including RedDoorz's cooperation in investigations. It noted the company had conducted periodic security reviews, though efforts were ultimately futile as the reviews did not include the affected APK.
The Commission also considered the pandemic's severe impact on the hospitality industry that RedDoorz operates in.
Following the incident, RedDoorz amended its credential policy to clearly prohibit developers from embedding access codes in any code base. It upgraded its infrastructure to a private space to isolate the customer database from the Internet.
Among other remedial measures, the startup also separated the accounts for production and staging environments for all AWS services. It enabled 2-factor authentication for all tools and accounts used by developers.
RedDoorz operates a hotel booking platform and budget hotel chains in South-east Asia. It entered the midscale hotel and economy lifestyle segments during the pandemic.
The startup has raised US$130.8 million in equity funding to date, data platform VentureCap Insights showed. Its revenue was S$11.6 million for the year ended Dec 2019, before the effects of the pandemic.
Singapore in November 2020 passed amendments to its data protection law that allow the PDPC to impose harsher fines and hold organisations accountable through mandatory reporting.
Under a key change to the Bill that has yet to take effect, a company that infringes the PDPA can be fined up to 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher. The current cap for financial penalties is S$1 million.
Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.