The Consumers Association of Singapore (Case) has been fined S$20,000 for two incidents of data breaches under the Personal Data Protection Act (PDPA).

According to a judgement by the Personal Data Protection Commission of Singapore (PDPC), the fine was imposed as Case failed to put in place reasonable security arrangements to protect personal data in its possession, and failed to develop and implement policies and practices necessary to meet its obligations under the PDPA.

Up to 22,542 email addresses were exposed by the first incident in October 2022, while the second incident in June 2023 saw the personal data of about 12,218 individuals put at risk of unauthorised access and exfiltration.

What happened during the first incident?

On Oct. 8, 2022, some of Case's consumers received phishing emails from "[email protected]", informing them that their complaints had been escalated to the “collections and compensation department”, and that they were eligible for a compensation payout.

The email address was used by Case to communicate with consumers who had lodged complaints on their website.

Consumers who received the emails were requested to click on a chat icon to fill in their banking details to complete the payment process.

On Oct. 9, 2022, similar emails were sent from "[email protected]" to more of Case's consumers.

This account was used by Case to communicate with consumers whose complaints were escalated to mediation.

Subsequently, in January and February 2023, Case received complaints of further phishing emails being sent to their consumers from email addresses which did not originate from their domain.

The PDPC judgement added that based on the circumstances, these affected consumers’ emails were likely harvested by the threat actor during the course of the first incident.

In addition, three of Case's affected consumers said they had clicked on a chat icon embedded in the phishing emails and had money withdrawn from their bank accounts.

These individuals allegedly suffered losses of S$900, S$68,000, and S$149,000. Case made a police report, and was informed by the police to let them handle the investigations.

What did investigations into the first incident find?

A private forensic expert engaged by Case to investigate the incident found that the threat actor had successfully signed into the two affected email accounts using the correct login credentials.

This meant the threat actor was able to harvest email addresses of Case's consumers from emails in the Inbox and Sent mailboxes of these

accounts, and send phishing emails through Case's verified domain name.

The expert also found that some of Case's computers were running on end-of life operating systems, and had vulnerable software with unapplied upgrades and security patches, which put Case at risk of remote code execution.

What happened during the second incident?

On Jun. 22, 2023, while Case was still investigating the first incident, PDPC received a complaint from one of Case's consumers.

The complainant had received a targeted phishing email sent by an email address which did not originate from Case's domain.

The email was addressed to the consumer, and reproduced the consumer’s complaint submitted to Case.

27 other individuals subsequently informed Case of similar occurrences.

The PDPC said that since such data was contained within Case's systems, the "unavoidable" conclusion is that at the very least, their personal data such as their email addresses and complaints had been exfiltrated from the organisation's systems.

Investigations did not yield a definitive conclusion regarding how the data breach occurred.

However, the PDPC concluded that the second incident likely occurred during a data migration exercise conducted by Case.

None of the 28 individuals who were affected suffered monetary losses.

What did PDPC find from its own investigations?

Through PDPC's own investigation, and by Case's own admission, Case was found to have breached its PDPA obligations.

The PDPC pointed out that Case's password management policy was "manifestly insufficient" to safeguard the personal data in its possession.

Case also admitted to failing to adopt and enforce a policy on how frequently passwords ought to be changed.

In the first incident, the passwords for the two affected email accounts had remained unchanged for almost four years prior to October 2022.

As for the second incident, Case's contract with one of its vendors involved in the migration did not stipulate clear security responsibilities in relation to its systems or data.

The PDPC added that Case's negligent vendor management put personal data under its control at risk of unauthorised access and disclosure.

Case also admitted to failing to conduct regular security awareness training for its staff, which rendered the organisation more vulnerable to risks that target its staff such as phishing attacks.

The organisation also indicated that it did not have information and communication technology policies in place for critical aspects of IT security, having only relied on its IT staff to conduct maintenance and updates, "as and when necessary".

Case fully accepts decision by the PDPC

In response to the judgement, Case put out a statement on Aug. 30 saying it accepted the decision by the PDPC, including the S$20,000 fine.

Case wrote:

"In the two incidents that occurred in October 2022 and June 2023, Case promptly alerted affected consumers and reported the matter to the police and the PDPC. Case also promptly engaged the services of an IT forensic investigation firm and implemented various measures to strengthen our policies and systems against unauthorised access."

Case also said it has updated its policies and rectified security gaps, complying with the PDPC's directives.

It promised to "continually review" its systems and practices to prevent future incidents.

Top left photo via Case Facebook, right photo via Canva