Law Society, 2 firms found responsible for data breaches

The Law Society has been ordered to plug security gaps after a ransomware attack compromised information of 16,009 members while online furniture store Fortytwo has been fined $8,000 for another data breach.

These were among findings published by the Personal Data Protection Commission (PDPC) on Thursday.

In a written judgement, Singapore’s privacy watchdog said the Law Society had “negligently breached” its obligation to protect personal information by “using an easily guessable password” for its IT administrator account, which was hacked due to another vulnerability.

Poor password practices for the account emerged after the PDPC’s investigations into a ransomware attack on the Law Society’s servers on Jan 27, 2021, which then encrypted and denied the organisation access to members’ personal data including their NRIC numbers and residential addresses.

The attack was detected on the same day and the organisation took immediate steps to restore the servers to their original state.

Investigations found that the administrator’s account had a weak password - “Welcome2020lawsoc” - that has been acknowledged by the Law Society to be vulnerable to dictionary attacks, a brute-force technique where hackers run through common words and phrases.

Contrary to the organisation’s password policy, the account’s password had also been used for more than 90 days and was not changed every three months.

The Law Society also did not conduct a review of its security arrangements within three years prior to the ransomware attack.

The organisation, however, was not held responsible for an omission to patch a vulnerability in its VPN system developed by Fortinet, which the judgement concluded as the likeliest cause for the ransomware attack.

Around November 2020, a file containing more than 45,000 session links and IP addresses for the VPN system of affected organisations, including Law Society, was posted in online forums.

Without patching the VPN’s firmware, clicking on each session link revealed its users’ credentials in plain text. These credentials likely included the password of the administrator’s account, allowing the hacker to gain access.

Using the compromised administrator’s account, the hacker created a new account with full administrative privileges and located Law Society’s servers where its members’ personal information was stored.

After considering Law Society’s checks on its vendor, the PDPC concluded that the organisation had reasonably relied on its vendor to perform software security patching and was not responsible for failing to patch its VPN system’s vulnerability.

It directed the Law Society to engage qualified security providers to conduct a thorough security audit of its arrangements for accounts with administrative privileges that can access directly or create access to personal data as well as to rectify any gaps identified.

Meanwhile, online furniture store Fortytwo was fined for failing to patch and update its website, which resulted in the personal particulars of 6,339 customers being leaked.

The information collected included 98 customers’ credit card details, the PDPC said in another written judgment.

The company reported the incident to PDPC on Dec 24, 2021.

Fortytwo was found to have breached its obligation to make reasonable security arrangements by not installing security patches released between 2017 and 2020, which addressed issues and bugs, including the injection of malicious codes that ultimately captured its customers’ personal data.

The PDPC also held that the company had “ample notice” to upgrade its platform from November 2015 to early 2020 before the attack, but did not do so.

In addition to a fine of $8,000, the furniture company was directed to upgrade its website to a supported software version within six months.

In a separate judgment, recruitment firm Kingsforce Management Services was found to have breached its obligation to protect personal data after its database of about 54,900 jobseekers was sold on the now-defunct RaidForums on or about Dec 27, 2021

On Jan 31, 2022, the PDPC was notified by the firm that its database, which included addresses, telephone numbers and e-mail addresses, had been available for sale.

External cybersecurity investigators identified outdated website coding technology as the cause of the incident.

The PDPC found that Kingsforce Management Services had failed to provide sufficient clarity and specifications on how to protect its database and did not conduct periodic security reviews within a reasonable timeframe since the launch of its website.

In deciding enforcement action against the breach, the privacy watchdog considered several factors including the immediate suspension of the website and the inaccessibility of affected data following the shutdown of RaidForums in 2022.

The PDPC has ordered the firm to ensure that regular patching, updates and upgrades take place for all software and firmware supporting its website and application through which personal data can be accessed.

The Straits Times has contacted the Law Society, Fortytwo and Kingsforce Management Services for comment.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

ADV: [webinar] Cross-border Commercial Dispute Resolution – HCCH 1965 Service Convention (27 June, 1 public CPD point) Resolving family justice and neighbourly disputes: Both enforcement and empathy needed – Opinion