ECOMMERCE Enablers, which operates the online shopping service platform ShopBack, was fined S$74,400 for its failure to safeguard users’ personal data. 

The data breach incident happened on Sep 9, 2020 when a malicious threat actor accessed Ecommerce Enablers’ storage server with a key inadvertently leaked by a senior member of the company’s software engineering team. 

The threat actor then proceeded to extract close to 1.5 million email addresses, 840,210 names, 447,076 mobile numbers, 299,381 bank account numbers. There were also misappropriation of 378,531 instances of credit card information including partial credit card numbers and expiry dates. 

Other personal details such as dates of birth and addresses were also leaked in large numbers.

Ecommerce Enablers informed the Personal Data Protection Commission (PDPC) about the breach on Sep 25, 2020.

In November 2020, the exfiltrated database was put up for sale on Raidforums, an online cybersecurity forum commonly used for trading of stolen databases. The forum was later seized by authorities from the US in April 2022. 

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

In a decision released on Wednesday (Aug 18), the PDPC found Ecommerce Enablers to have breached section 24 the Personal Data Protection Act 2012 (PDPA), which requires organisations to protect personal data in its possession by making reasonable security arrangements. 

According to the PDPC, Ecommerce Enablers in this instance did not implement sufficiently robust processes in managing the access keys to its storage servers. 

The company contended this judgement by claiming that the compromise of the key arose from human error rather than any systemic issue with its security practices. PDPC dismissed the argument by making reference to the case of Re DataPost. 

“Organisations cannot place sole reliance on their employees to perform their duties properly as a security arrangement to protect personal data. There must be some processes to ensure that the step required from the employee is taken, such as independent verification by another checker,” wrote Lew Chuen Hong, Commissioner of PDPC. 

PDPC also highlighted the company’s failure to conduct periodic security reviews. This is considering how the access key was replaced in June 2019. The fact that the old leaked key remained active could have been detected through specific security reviews during the 15 months leading up to the incident, it said. 

In determining the amount of financial penalty, the commission has also considered various mitigating factors.

It acknowledged that Ecommerce Enablers took prompt actions in containing the breach, including notifying the affected individuals. The company also cooperated with PDPC throughout the investigations and voluntarily acknowledged their failure in safeguarding the storage server access key. 

To improve its security standards and prevent recurrence or similar incidents, the company has since implemented a more secure procedure of having temporary, time-limited access keys. It has also developed an internal IT security policy for the use of such keys.