CASE fined SG$20,000 for personal data breach

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

The Consumers Association of Singapore (CASE) has been fined SG$20,000 for breaching protection and accountability obligations. The Personal Data Protection Commission (PDPC) published a judgement saying that CASE failed to "put in place reasonable security arrangements to protect the personal data in its possession of under its control".

It added that CASE failed to "develop and implement policies and practices that are necessary to meet its obligation under the Personal Data Protection Act (PDPA)".

Don't miss: 'Google is a monopolist,' rules US judge in antitrust case

The breaches led to two separate incidents in October 2022 and June 2023. According to documents seen by MARKETING-INTERACTIVE, up to 22,542 e-mail addresses in October 2022 and consumer data of 12,218 individuals in June 2023 in CASE's possession were possibly compromised.

The first incident was notified to PDPC involving a threat actor accessing CASE's e-mail accounts and sending phishing e-mails on 8 and 9 October 2022. Some of CASE's consumers received unsolicited e-mails from "“online-submission@case.org.sg” on 8 October, an account used to communicate with consumers who lodge complaints on its website.

The e-mail told consumers that their complaints had been escalated to the "collections and compensation department" and that they were eligible for a compensation payout. Consumers were then requested to click on a chat icon to fill in their banking details to complete the payment process.

Similar e-mails were sent from "mediator1@case.org.sg”, the next day. The e-mail account is used to communicate with consumers who are in the mediation stage. Of these incidents, three consumers were affected, with the victims losing a collective amount of SG$217,900.

Investigations by a private forensic expert engaged by CASE revealed that the threat actor had signed in to the affected accounts using correct login credential which were likely retrieved from a phishing attack on a CASE employee.

The investigation also revealed that some of CASE's computers no longer supported or maintained with security updates by vendors as they were running on end-of-life operating systems.

While PDPC was investigating the first incident, it received a complaint on 22 June 2023 regarding a phishing e-mail that reproduced a consumer's complaint submitted to CASE.

Subsequently, PDPC was informed by a total of 28 individuals that they received similar e-mails from e-email addresses which did not originate from CASE's domains. The investigations did not yield a definitive conclusion regarding how the data breach happened. Through PDPC's findings, it said it found CASE to have breached the protection obligation.

PDPC said that CASE's password management policy was "manifestly insufficient" to safeguard the personal data in its possession. It added that CASE did not enforce its own password policy and failed to implement an adequate password policy.

In tandem, PDPC said CASE did not have in place sufficient logging and monitoring practices to detect suspicious or unusual activities or unauthorised access promptly and that it did not have a documented IT infrastructure management plan or process for the protection and security of its systems.

As such the PDPC determined that CASE should pay a financial penalty of SG$20,000 within 30 days from the date of the notice. It also directed CASE to review and update policies relevant to personal data protection, rectify all security gaps identified and more.

In a statement, CASE executive director Dexter Tay said "CASE has received and fully accept the written decision by the PDPC issued on 9 July 2024, and the financial penalty of SG$20,000. In the two incidents that occurred in October 2022 and June 2023, CASE promptly alerted affected consumers and reported the matter to the Police and the PDPC."

"CASE also promptly engaged the services of an IT forensic investigation firm and implemented various measures to strengthen our policies and systems against unauthorised access. CASE is committed to safeguarding consumer’s data and has complied with PDPC’s directives to update our personal data protection policies and to rectify security gaps. We will continually review our systems and practices to prevent a recurrence of such incidents," added Tay.

In November last year, Ascentis, the developer for Starbucks Singapore was charged SG$10,000 for its failure to protect the personal data of more than 300,000 members for the chain’s rewards programme.

According to the PDPC, the developer had “requested and agreed for the investigation to be handled, and voluntarily provided and admitted” to the data breach.

The personal data of these individuals, consisting of names, email addresses, dates of birth, membership details relating to the rewards program, physical addresses and telephone numbers were exfiltrated in the incident.

Voluntary undertakings were implemented by the company which included enhanced security to its consumers’ data and other precautionary measures.

Explore transformative trends to empower your brand for sustainable growth. Join 500+ marketing minds at Digital Marketing Asia 2024 Singapore on 1-2 October and uncover transformative trends to empower your brand, network with industry leaders and collaborate across industries, and discover real-life marketing wins and powerful ideas.

share on