Database containing 5M customer records had been accessed and exfiltrated.
The Personal Data Protection Commission (“the Commission”) received a data breach notification from Commeasure Pte Ltd (“the Organisation”) that its database containing 5,892,843 customer records had been accessed and exfiltrated (“the
The Organisation first found out about the data breach on 19 September 2020 when a cybersecurity company based in Atlanta, United States of America, approached the Organisation with an offer to contain the breach and retrieve the data from the hackers. The Commission commenced investigations into the Incident thereafter.
The Organisation was incorporated in Singapore in 2014, and operates a hotel booking platform www.reddoorz.com which serves customers in the Southeast Asian region, such as Indonesia, Singapore, Philippines, Vietnam and Thailand. The Singapore office is primarily engaged in sales, finance and administrative activities, while all IT functions (including the management of the affected application package in this case) were managed by the Organisation’s subsidiary company, Commeasure Solutions India Pvt Ltd (“CPL India”).
Investigations revealed that the unknown threat actor(s) had most likely gained access and exfiltrated the Organisation’s database of customer records hosted in an Amazon RDS cloud database, after they obtained an Amazon Web Services (“AWS”) access key. The AWS access key was embedded within an Android application package (“the affected APK”)
publicly available for download from the Google Play Store.
This affected APK was created sometime in 2015, when the Organisation was still a start-up, and was last updated in January 2018. Even though the AWS access key had access to a “live” or production database, the AWS access key was embedded in the APK, and erroneously marked as a “test” key by the then-developers. With the exception of one of the Organisation’s co-founders and Chief Technology Officer, all the developers have since left the Organisation. Most unfortunately, even though the Organisation regarded this APK as
“defunct”, the APK remained publicly available for download on the Google Play Store until the Organisation became aware of the Incident and removed the affected APK.
The fact that the Organisation had treated the affected APK as a “defunct” APK meant that even though the Organisation had engaged a cybersecurity company to conduct a security review and penetration testing sometime from September 2019 to December 2019, it was not within the scope of the security review or penetration tests. Consequently, the vulnerability was left undetected and exposed until the Organisation found out about the Incident. Likewise, even though the Organisation used “Proguard” on its current Android apps to prevent reverse engineering of APKs, which may have prevented the unknown threat actors from retrieving the AWS access key, the Organisation failed to review and deploy “Proguard” on the affected APK which it regarded as “defunct”.
As a result of the Incident, the Organisation’s database containing 5,892,843 customer records which included the customer’s name, contact number, email address, date of birth, a hashed password (encrypted with one-way BCrypt hash algorithm) used by the customer to access their “RedDoorz” account and their booking information was accessed and exfiltrated by unknown threat actor(s). Based on the Organisation’s investigations, the unknown threat actor(s) did not gain access or download the customers’ masked credit card numbers.
In deciding the amount of financial penalty to be imposed, we also considered that the Organisation, which operates in the hospitality industry, had been severely impacted by the COVID-19 pandemic.
Having considered all the relevant factors of this case, the Commissioner hereby requires the Organisation to pay a financial penalty of S$74,000 within 30 days from the date of the relevant notice accompanying this decision, failing which interest at the rate specified in the Rules of Court6 in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full.