$9,000 fine for manpower service firm which leaked data of 23,950 people

SINGAPORE - Manpower services firm Century Evergreen has been fined $9,000 by Singapore's data privacy watchdog for a vulnerability that resulted in the download of identification documents of 23,940 people from its website.

These documents included images of their National Registration Identity Card (NRIC).

More than 96,880 images of these documents were downloaded from the firm's website over three days in December 2022, the Personal Data Protection Commission (PDPC) said on Friday (Sept 15).

The firm, which supplies part-timers to various industries in Singapore, requires jobseekers to submit their identification documents to verify their identity and suitability.

The leak was discovered by an unnamed party who realised that images of the identification documents were publicly accessible on Century Evergreen's website and lodged a complaint with the PDPC on Dec 11, 2022.

Following the PDPC's investigations, the firm admitted that the vulnerability, which allowed the unnamed party to access personal data by manipulating its website's address, had existed since the website's launch in 2015.

The firm admitted that it failed to include any security requirements to protect personal data in its contract with the vendor who developed and maintained the website.

It also admitted that apart from conducting functionality testing when the website was launched, it made no arrangements with its IT vendor to conduct security tests before or after the launch of the website.

In its report, the PDPC said the organisation's failure to put in place reasonable security arrangements to protect personal data was a matter of "gross negligence", given the long period of non-compliance between 2015 and 2022.

The PDPC said the financial penalty's amount was decided after considering several factors including the firm's voluntary admission of the breach, its prompt action to remedy the vulnerability and its poor performance in the most recent financial year.

Separately, car rental company Autobahn Rent A Car was fined $3,000 by the PDPC after its system was hacked, resulting in the theft and sale of 53,000 personal data sets on a cybercrime forum.

A hacker had exploited an unrevoked administrator account with access to the company's car-sharing service Shariot's database, which surfaced when an image on Shariot's mobile application was replaced with a pornographic picture, the PDPC said on Wednesday.

The photograph was reported to the company through customer feedback on Sept 24, 2022.

[[nid:643636]]

The company then traced the photograph to an ex-employee's administrator account, which was not revoked despite the ex-employee leaving in May 2022.

It learnt that the ex-employee had received an e-mail from an unknown sender on Sept 10, 2022, stating that his personal laptop had been hacked and demanded a ransom in Bitcoins.

Using the former employee's admin account, the hacker stole a copy of Shariot's users personal data.

On Oct 21, 2022, a cybersecurity solutions provider alerted the company that a Shariot database containing personal data was put up for sale on a cybercrime forum. It included names, e-mail addresses, mobile phone numbers, NRIC numbers and general location data such as Bishan and Toa Payoh.

On the same day, the company reported the personal data breach to the PDPC.

Following the incident, the company also conducted an internal audit of its administrator accounts, enhanced its system to mask NRIC numbers to only show the last four characters and conducted training.

The PDPC said the company admitted that it had failed to ensure it had put in place reasonable security arrangements to prevent the unauthorised access or disclosure of the personal data in its possession or control.

[[nid:632665]]

The company also accepted that the breach would not have occurred if it implemented multi-factor authentication as an additional control for its admin accounts that had access to its sizeable user database.

The PDPC said a financial penalty was imposed as the personal data breach was "not insignificant".

In addition to the fine, the company was also directed to implement more controls.

This article was first published in The Straits Times. Permission required for reproduction.

Disclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.