InsiderSecurity Resources

Lessons from PDPA cases

We have drawn some lessons from PDPA (Personal Data Protection Act) cases, which we hope are useful to you. We look at data breach or theft under PDPA.

There are 9 PDPA obligations in total (consent, retention etc). The PDPA data protection and accuracy obligations are the ones where a data breach can get your company into trouble.

PDPC (Personal Data Protection Commission) took action against some companies recently. For example, K-Box was fined $50K. More than the fine, it is the hit to the company's reputation and potential loss of customers that hurts the most.

We analyse detailed PDPC decisions that are released publicly.

PDPC does not take action against every company that suffered a data breach. At the same time, PDPC can take action even if there is no proof of data theft (as in the case of the company Full House)! This is because PDPC simply checks if a company had taken "reasonable" measures to protect its data, as required by PDPA.

KBox

The karaoke chain KBox is fined $50K for losing data on more than 300,000 customers in 2014.

Lessons

1. Use good passwords or two-factor authentication

KBox had an administrator account with the password “admin” for their CMS server. This made it very easy for an attacker to gain access to the data. Interestingly, KBox does have a password policy, just that none of their staff bother about it.

2. Have security monitoring in place

PDPC noted that KBox has no security monitoring in place. Even if its own staff removed data, KBox would have no idea.

3. Update vulnerable software

PDPC noted that KBox does not update its server software.

4. Do security assessments, pen-testing

PDPC noted that KBox has no such practices.


Metro

The retailer Metro lost 445 customer records in 2015. It was let off with a warning by PDPC as it had made an attempt to improve its security. However Metro's reputation suffered when it is publicly named by PDPC.

Lesson

If you have to outsource cyber security, outsource to people who know their stuff

Metro had its website hacked previously and it had engaged its IT vendor to patch up the website. However, the IT vendor did not do a good enough job (the IT vendor’s expertise may be in building websites and not cyber security). When customer data were stolen subsequently, a KPMG security audit found several vulnerabilities in the website, a number of which any reasonably trained security person should be able to find.


IES

Institution of Engineers Singapore (IES) lost data on more than 4000 customers, including passwords, in 2014.

Lessons

1. Firewalls and antivirus are not enough

IES’s servers employ firewalls and anti-virus (anti-virus are actually rarely used on servers). Unfortunately firewalls and antivirus are only basic protections and are insufficient to stop today’s attackers.

2. Do security assessments, pen-testing


PDPC noted that IES has no such practices.

Now we are not big fans of "click-button" vulnerability scanning tools (these are easy to use, but they only detect known "low-hanging" fruits -- we prefer pen-testing the old school way, where you think like a serious attacker). Nonetheless, if IES had done a simple "click-button" scan, it would have discovered several low-hanging vulnerabilities in their servers.


Fei Fah Manufacturing

Fei Fah Medical Manufacturing lost data on more than 900 members in 2014 and is fined $5000.

Lesson

It matters how you respond when there is a breach

The action that PDPC takes on a company takes into account how a company responds to a breach. Fei Fah Medical was not cooperative with PDPC. Despite being notified of the data breach, it had failed to rectify or patch its systems even after 10 months. Fei Fah may think the fine is small, but its reputation among customers will be affected when it is publicly named by PDPC.


Challenger Superstore and others

Challenger Superstore, Singapore Computer Society and UTC Travel sent emails with confidential data to the wrong recipients. This is due to human mistakes.

Lessons

1. Have security awareness training for staff

2. Have simple human checks

Human mistakes are hard to avoid, having security awareness training for the staff helps. Simple sanity checks on the document (eg verify the member data and customer name match) before emailing, goes a long way.


Full House

Full House had a booth in a furniture fair, where customers keyed in personal data on shared computers for a lucky draw. Internet browsers were used. Unfortunately, the browsers' “auto-fill” function remembers past personal data. So a customer may be able to retrieve the previous customer's data. It was not proved that someone actually tried to so. Nonetheless PDPC issued Full House a warning, and publicly named Full House.

Lesson

Data theft need not actually occur for the PDPC to take action



Conclusion


How can you meet PDPA requirements for data security?

1. Adopt some good security practices in your company


We will be putting up some good data security practices that can help you comply with PDPA. Most of these are practices that you can implement in-house.

2. Do security monitoring for data breach

The unfortunate fact is that there is no fool-proof security solution that can prevent your websites and networks from being hacked. Hackers are getting smarter and more creative every day. Sometimes, the attacker may even be a disgruntled employee with insider access.

If hackers are inside your network, a security monitoring system can help to detect their activity. You want to detect the intrusions early, and to prevent or minimize any damage. The last thing you want is to hear about your security breach from your customers or the news!

3. Security Assessments

Get your in-house security team or a good security vendor to carry out vulnerability assessments and penetration testing of your websites and networks.