31 October, 2016
Weak passwords and the transfer of customer data by unencrypted email were among the poor security methods that led to the personal data of 317,000 members of a Singapore karaoke outlet operator being leaked.
The Singapore Personal Data Protection Commission (PDPC) has released the reasoning behind a fine, six months ago, of K Box Entertainment Group and its IT vendor Finantech.
K Box and Finantech were fined S$50,000 (£29,000) and S$10,000 respectively in April for "failing to implement proper and adequate protective measures to secure its IT system", resulting in the unauthorised disclosure of the personal data of the K Box members.
While K Box had policies in place requiring the use of complex passwords, there was no way to enforce this at the time of the breach and one receptionist was known to use a single letter as a password, the PDPC said.
Emails containing the personal data of over 90,000 members were also sent without any protection, the PDPC said. These emails were not responsible for the data breach, but the practice "is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data. The better practice would have been for Finantech to encrypt or to ensure that the document containing the list of members’ personal data was password protected before sending it to K Box", it said.
The PDPC has investigated where the data breach may have occurred. An account used by a Fintech member of staff had the password 'admin', and it seems likely that this was used to access the leaked data, the report said.
The leaked list of members' data stopped at a member record created on 23 April at 5.43am, and activity logs showed that someone logged in using the admin account at 9.59am on the same day, the PDPC said.
The account had been used a former employee known as Mrs G. Mrs G had left Finantech on or around 2013 and there was no evidence to suggest that she had been remotely accessing the account, so "any use of this account after Mrs G had left Finantech would likely have been unauthorised and could be taken to be done by the cyber-attacker", the PDPC said.
K Box failed to delete the accounts of employees who had left the company until 17 December 2014, the day after news of the data breach. On the same day, it deactivated and changed the password on Mrs G's administration account, the report said.
For further information, please contact:
Ian Laing, Partner, Pinsent Masons
ian.laing@pinsentmasons.com