Education Agency, Home Services Website Owner Fined For Personal Data Leak, Tech News News & Top Stories
SINGAPORE – Home education agency ChampionTutor has been fined $ 10,000 for failing to secure the personal data of 4,625 students, its second fine in about two years for data missing.
The agency has over 10 years of experience in matching students with tutors in Singapore.
He had failed to fix a security flaw on his website, which led to information – such as the names, phone numbers and addresses of students – being leaked and sold on the Dark. Web, the Personal Data Protection Commission (PDPC) said in a summary of its ruling last Thursday (October 14).
Another company, Stylez, was fined $ 37,500 for leaking the personal data of 9,983 people.
Stylez operated the local quote comparison and service portal iCompare.sg. The portal, which promoted various services such as wedding photography, home loans and movers, has since been closed.
The leak involved portal records of its renovation and interior design clients between 2009 and 2016, including their names, email addresses and phone numbers.
The Straits Times reported on December 25, 2019 that some of the data had been released to the Dark Web, alongside what appeared to be hacked documents on US military tanks, Netflix passwords, and national credentials of Turkish nationals.
The information released also included office addresses, quotes and customer inquiries to at least 60 companies.
In written reasons for its ruling last Thursday, the PDPC said the leaked data was used for a new database created by Stylez in July 2016 to test a new function for iCompare.sg.
But the company had failed to implement “reasonable” security arrangements to protect the database’s personal data.
This included storing the database in a publicly accessible directory on a cloud server – which meant it could be discovered and accessed through internet search engines – and in an unencrypted format for over 2 years and half.
“The investigations revealed that the exposed data (…) had been accessed and exfiltrated from the (database) sometime before December 2019,” the PDPC said.
But the portal’s other databases were hosted on servers rented from another cloud service provider and were unaffected.
The PDPC also found that Stylez had not developed and implemented internal data protection policies corresponding to what it had communicated to its existing and potential customers.
“In fact, none of these guidelines or procedures were implemented, and it made what was communicated to (Stylez) customers and potential customers an empty promise,” said the PDPC.
“While (Stylez) claimed to have relied on verbal reminders to educate staff about the importance of data protection, these reminders were not documented and, in any event, insufficient.”
In the case of ChampionTutor, the PDPC said the company was aware of the security breach when it performed a test in December of last year.
The company then asked its India-based developer, who was not nominated by the PDPC, to fix the vulnerability.
But the developer did not respond, and the education agency did nothing else to correct the flaw.
The PDPC said it received information on February 24 of this year that the company’s database was being sold on the Dark Web.
He then informed the education agency, which was unaware of the leak.
The education agency has since hired a new team of developers and is revamping all of its website source code to reduce possible vulnerabilities.
In 2019, he was fined $ 5,000 by the PDPC after a list containing the names, phone numbers and email addresses of 4,899 people was leaked.
At the time, ChampionTutor did not have a data protection officer and did not implement any internal data protection policies, both of which are mandatory by law.