Consumers Association of Singapore fined S$20,000 for PDPA breaches following two data security incidents

The Consumers Association of Singapore (CASE) has been fined S$20,000 by the Personal Data Protection Commission (PDPC) for breaches under the Personal Data Protection Act (PDPA).

According to a judgement which was published on 28 August, the fine was imposed due to the consumer watchdog’s failure to implement reasonable security measures to protect the personal data in its possession and to establish necessary policies and practices required under the PDPA.

The breaches resulted in two significant incidents, one in October 2022 and another in June 2023, where the personal data of up to 34,760 individuals was potentially compromised.

Both incidents were handled under the Expedited Decision Procedure (EDP) at the request of CASE, with the organization admitting to all the facts and contraventions of the PDPA, leading to a faster resolution of the case.

The First Incident: Phishing Attack in October 2022

The first incident occurred in October 2022 when a threat actor accessed CASE’s email accounts and sent phishing emails from its official email addresses.

On 8 October 2022, some consumers received unsolicited emails from “[email protected],” which falsely claimed that their complaints had been escalated to the “collections and compensation department” and that they were eligible for compensation.

The recipients were asked to provide their banking details by clicking on a chat icon.

The following day, similar phishing emails were sent from “[email protected],” an account used for complaints that had progressed to mediation. CASE later discovered that the phishing emails had affected up to 22,542 email addresses.

Further investigations revealed that the phishing emails likely resulted from the threat actor obtaining login credentials from a CASE employee via a phishing attack.

The compromised accounts led to the sending of 5,205 phishing emails to 4,945 recipients. Although CASE acted swiftly to suspend the affected accounts and reset all administrator passwords, three consumers reported that they had clicked on the phishing links and collectively lost S$217,900. CASE subsequently lodged a police report.

The Second Incident: Data Breach During Vendor Migration

While PDPC was investigating the first incident, a second breach came to light in June 2023. On 22 June 2023, PDPC received a complaint about a phishing email that replicated a consumer’s complaint previously submitted to CASE.

This led to the discovery that the personal data of 12,218 individuals, including names, email addresses, contact numbers, and complaint details, had been exposed. The PDPC concluded that the breach likely occurred during a data migration exercise conducted by CASE between December 2019 and January 2020 when CASE switched vendors.

Investigations revealed that CASE’s contract with one of its vendors, Total eBiz Solutions Pte Ltd (TES), did not stipulate clear security responsibilities. This lack of contractual clarity contributed to the data breach during the migration process, highlighting CASE’s negligent vendor management.

PDPC Findings and Penalties

The PDPC found that CASE had failed to enforce its password management policy, with some passwords not meeting minimum length and complexity requirements and others remaining unchanged for up to four years. Furthermore, CASE’s vendor management was deemed negligent, as one of its contracts did not specify clear security responsibilities, putting personal data at risk.

CASE admitted to not conducting regular security awareness training for its staff, with the last session held five years before the first incident.

The PDPC also noted that CASE lacked an Information and Communications Technology (ICT) policy, particularly in relation to patching and maintaining IT systems. The absence of a documented IT infrastructure management plan, insufficient logging and monitoring practices, and the lack of security reviews over the three years preceding the first breach were significant failures highlighted in the judgment.

In assessing the financial penalty, the PDPC considered the nature and gravity of the breaches, the duration of non-compliance, and CASE’s annual turnover. The fine of $20,000 was determined to be appropriate in light of these factors.

Remedial Actions by CASE

It is said that CASE, which is headed by Mr Melvin Yong, People’s Action Party Member of Parliament for Radin Mas, has implemented several measures to enhance its cybersecurity in response to the breaches.

These include introducing multi-factor authentication for all web-based applications, strengthening password complexity requirements, decommissioning end-of-life devices, and implementing patch management software for security updates.

CASE has also revised its contracts with outsourced vendors to include data protection clauses and mandated annual data protection training for all staff members.

CASE is working towards obtaining the Cyber Essentials Mark and the Data Protection Trust Mark to reinforce its commitment to safeguarding personal data and complying with PDPA obligations.

The PDPC has directed CASE to review and update its data protection policies, rectify all identified security gaps, and report back within one week of completion. The organization has also been instructed to conduct a penetration test after addressing the vulnerabilities to ensure no further security gaps exist.