The Personal Data Protection Commission (“the Commission”) fined Sendtech Pte. Ltd. (“Sendtech”) a penalty of $9,000 through 12 installments following a finding that it had breached its obligations under the Personal Data Protection Act 2021.
On 13 February 2021, Sendtech informed the Commission of an unauthorized access to its Amazon Web Services (“AWS”) account through an access key.
Sendtech reported that the incident came to its attention on 10 February 2021 when it had detected unusual account activity, causing the shutdown of its AWS account. In particular, it had detected a compromised AWS access key which had been generated in 2015 and had not been rotated or changed until the incident. Sendtech suspected that the key may have been compromised through either (i) one of its former employees, as all former developers had access to the key and some may still have the source code required for continued access to the key; or (ii) one of its current employees, who could have compromised it as a result of using a public Wi-Fi connection when working from home.
Once the attacker had access to the compromised access key, the attacker gained administrative access to Sendtech’s AWS account. Thereafter, the attacker could access all the personal data available on Sendtech’s AWS platform. Due to this breach, the attacker had access to the personal data of 64,196 customers (e.g. email address, contact number, home address, last four digits of customers’ debit or credit card) and 3,401 contractors and its employees (e.g. profile photo and copies of NRIC or work permit).
Sendtech took remedial measures to mitigate the unfortunate effects of the breach by rotating all access keys; changing passwords for all servers; ensuring that they are better able to log the individual actions of their users on their platform through enhancing their audit trail; checking and verifying that all its Github repositories (where Sendtech builds software tools) were set to PRIVATE; engaging cybersecurity consultants to carry out assessment of its security setup and advise on improvements to the security measures; and developing new cybersecurity policies and processing which specifically include measures for credentials management.
The Commission concluded that Sendtech breached the Protection Obligation under Section 24 of the Personal Data Protection Act and imposed a penalty of $10,000. However, because of Sendtech’s upfront admission of liability and prompt remedial actions, the Commission had invited Sendtech to make representations to mitigate its penalties. As a result of its representations, the Commission reduced its financial penalty to $9,000 and allowed Sendtech to pay the penalty in 12 installments.
By: Denise Mirandah
A version of this article first appeared on the GALA Blog. For more information, please visit http://blog.galalaw.com/.