The Personal Data Protection Commission (PDPC) has fined restaurant reservation platform Eatigo International Pte. Ltd (Eatigo) S$62,400 after a legacy database belonging to the company was breached and its contents were offered for sale on an online forum.
Here's what happened according to a written judgement by the Deputy Commissioner of the PDPC.
In 2018, Eatigo moved to a new online platform which utilised a different type of data storage and infrastructure.
Eatigo retained its old database to support its data migration to the new platform, but failed to include it in the company's Virtual Private Network infrastructure. This meant that the database could be accessed from the Internet, if one had the requisite credentials.
In addition, as Eatigo transitioned to a new engineering team without a proper handover, knowledge of the old database -- which contained the personal data of approximately 2.76 million users -- was lost.
Eatigo is unsure when the data from the old database was accessed and extracted by an unauthorised personnel, but it was likely sometime between 2018 and 2020 when the data was put online for sale.
The types of personal data included name, email address, telephone number, Facebook token, and password in an encrypted form. A sample of the extracted data was also posted on the online forum.
According to a forum post, the affected Eatigo accounts were in Singapore, Hong Kong and Thailand, CNA reported.
In October 2020, a third party informed the PDPC about the post.
Eatigo was "uncooperative and evasive": PDPC
Upon discovering the breach, Eatigo implemented several remedial actions, such as deleting the old database, moving all databases into the organisation's virtual private network so that they cannot be accessed via the Internet, conducting penetration testing, and reviewing its logging and monitoring systems.
The PDPC considered these remedial actions as mitigating factors in determining the scope of the penalty.
The commission also considered several aggravating factors aside from Eatigo's gross negligence in failing to keep proper records of the database and do a proper handover.
In particular, the commission said that during the investigation, Eatigo provided inconsistent and slow responses to its request for documents and information, resulting in delays.
Eatigo was apparently uncooperative and evasive as well. The Deputy Commissioner of the Personal Data Protection Commission (PDPC) Yeong Zee Kin took issue with this and wrote in his judgement:
"Organisations that are uncooperative and that throw up objections will only prolong investigations. The Commission will not be deterred by such tactics. If, as is possible in this case, the organisation did not have the information or needed more time to recover the information, honesty is the best policy. Hiding behind vague notions like ‘additional security risks’ without providing details can and will be interpreted as cavalier and obstructive, and will be taken as an aggravating factor when the eventual outcome is determined.”
In its representations, Eatigo had requested a reduced financial penalty, explaining that it was in a risky financial position and a hefty fine would likely lead to financial distress and the closure of its business.
It was incurring heavy net losses on a month-to-month basis and had various substantial short-term loans due in the near future.
Bearing this in mind, the PDPC decided to impose a financial penalty of S$62,400 in 12 monthly instalments.
Top image via Eatigo's website