Singapore
Consumers Association of Singapore fined S$20,000 for PDPA breaches following two data security incidents
The Consumers Association of Singapore (CASE) was fined $20,000 by the PDPC for failing to protect personal data in two incidents affecting 34,760 individuals. CASE admitted to inadequate security measures and has since implemented steps to enhance its cybersecurity practices.
The Consumers Association of Singapore (CASE) has been fined S$20,000 by the Personal Data Protection Commission (PDPC) for breaches under the Personal Data Protection Act (PDPA).
According to a judgement which was published on 28 August, the fine was imposed due to the consumer watchdog’s failure to implement reasonable security measures to protect the personal data in its possession and to establish necessary policies and practices required under the PDPA.
The breaches resulted in two significant incidents, one in October 2022 and another in June 2023, where the personal data of up to 34,760 individuals was potentially compromised.
Both incidents were handled under the Expedited Decision Procedure (EDP) at the request of CASE, with the organization admitting to all the facts and contraventions of the PDPA, leading to a faster resolution of the case.
The First Incident: Phishing Attack in October 2022
The first incident occurred in October 2022 when a threat actor accessed CASE’s email accounts and sent phishing emails from its official email addresses.
On 8 October 2022, some consumers received unsolicited emails from “[email protected],” which falsely claimed that their complaints had been escalated to the “collections and compensation department” and that they were eligible for compensation.
The recipients were asked to provide their banking details by clicking on a chat icon.
The following day, similar phishing emails were sent from “[email protected],” an account used for complaints that had progressed to mediation. CASE later discovered that the phishing emails had affected up to 22,542 email addresses.
Further investigations revealed that the phishing emails likely resulted from the threat actor obtaining login credentials from a CASE employee via a phishing attack.
The compromised accounts led to the sending of 5,205 phishing emails to 4,945 recipients. Although CASE acted swiftly to suspend the affected accounts and reset all administrator passwords, three consumers reported that they had clicked on the phishing links and collectively lost S$217,900. CASE subsequently lodged a police report.
The Second Incident: Data Breach During Vendor Migration
While PDPC was investigating the first incident, a second breach came to light in June 2023. On 22 June 2023, PDPC received a complaint about a phishing email that replicated a consumer’s complaint previously submitted to CASE.
This led to the discovery that the personal data of 12,218 individuals, including names, email addresses, contact numbers, and complaint details, had been exposed. The PDPC concluded that the breach likely occurred during a data migration exercise conducted by CASE between December 2019 and January 2020 when CASE switched vendors.
Investigations revealed that CASE’s contract with one of its vendors, Total eBiz Solutions Pte Ltd (TES), did not stipulate clear security responsibilities. This lack of contractual clarity contributed to the data breach during the migration process, highlighting CASE’s negligent vendor management.
PDPC Findings and Penalties
The PDPC found that CASE had failed to enforce its password management policy, with some passwords not meeting minimum length and complexity requirements and others remaining unchanged for up to four years. Furthermore, CASE’s vendor management was deemed negligent, as one of its contracts did not specify clear security responsibilities, putting personal data at risk.
CASE admitted to not conducting regular security awareness training for its staff, with the last session held five years before the first incident.
The PDPC also noted that CASE lacked an Information and Communications Technology (ICT) policy, particularly in relation to patching and maintaining IT systems. The absence of a documented IT infrastructure management plan, insufficient logging and monitoring practices, and the lack of security reviews over the three years preceding the first breach were significant failures highlighted in the judgment.
In assessing the financial penalty, the PDPC considered the nature and gravity of the breaches, the duration of non-compliance, and CASE’s annual turnover. The fine of $20,000 was determined to be appropriate in light of these factors.
Remedial Actions by CASE
It is said that CASE, which is headed by Mr Melvin Yong, People’s Action Party Member of Parliament for Radin Mas, has implemented several measures to enhance its cybersecurity in response to the breaches.
These include introducing multi-factor authentication for all web-based applications, strengthening password complexity requirements, decommissioning end-of-life devices, and implementing patch management software for security updates.
CASE has also revised its contracts with outsourced vendors to include data protection clauses and mandated annual data protection training for all staff members.
CASE is working towards obtaining the Cyber Essentials Mark and the Data Protection Trust Mark to reinforce its commitment to safeguarding personal data and complying with PDPA obligations.
The PDPC has directed CASE to review and update its data protection policies, rectify all identified security gaps, and report back within one week of completion. The organization has also been instructed to conduct a penetration test after addressing the vulnerabilities to ensure no further security gaps exist.
Making extra salary every month from house more than $15,000 just by doing simple copy and paste like online job. I have received $18,000 from this easy home job. Everybody can now makes extra cash online easily.
By Just Follow…………………. Www.NetPay1.Com
🖕🏻Malulah⚡️Profits Above People⚡️Malulah🖕🏻
[Be Your Own Boss] Work online from home and earn over $15,000 just by doing an easy job. Last month I earned and received $20,000 from this job . In fact, this job is so easy to do and regular income is much better than other normal office jobs where you have to deal with your boss….
HERE ………….> Www.NetPay1.Com
Confuse which are independant
I can’t sop laughing cz I saw a blue moon at least in 60 years.
All the Data Protection and change of passwords etc doesn’t protect anyone as there will be bad actors in every industry. However as the government is forcing these new systems which is in experimental stages on to the Public, there must be legislation which states that all monetary loss or data breaches will be compensated to protect the Public. A $20,000/- fine does not serve Public interest.
A watch dog that could not watch itself?
Same as to PAP could not POFMA themselves!
You local fucktards come polling day, better WATCH WHERE YOU MARK THAT ‘X’ NEXT TO WHICH SYMBOL HOR!
Don’t after kenna fucked for another 5 yrs, come back to this forum to kow peh kow bu for another 5 yrs too!😆😆😆😆🤣🤣🤣🤣😆😆😆