OrangeTee & Tie fined S$37,000 for data breach affecting over 250,000 customers, staff
REAL estate firm OrangeTee & Tie has been fined S$37,000 after the Personal Data Protection Commission (PDPC) found that the information of more than 250,000 customers, employees and agents had been compromised.
In a written judgment on Monday, the PDPC said the firm had breached its obligation to protect this trove of personal data by sufficiently assessing the security risks in the way the data is handled; it had also failed to conduct periodic security reviews.
In August 2021, names, bank account numbers, NRIC and passport numbers, and property transaction and commission amounts were extracted from OrangeTee & Tie’s outdated database servers by hacking group Altdos.
The group demanded a ransom of 10 bitcoins from the firm for the safety and non-disclosure of the databases. It also claimed to have hacked OrangeTee & Tie’s network since June 2021 and stolen “hundreds of databases”.
OrangeTee & Tie then filed a police report. It also reported the incident to a division under the Cyber Security Agency of Singapore.
When the hacking group did not receive the ransom, it carried out a distributed denial-of-service attack – which floods a server with traffic – that brought down OrangeTee & Tie’s network.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
It also sent another ransom demand through e-mail and messaging platform WhatsApp to some of the firm’s employees.
OrangeTee & Tie engaged a private forensic expert, who found that the hackers had extracted personal datasets from 11 databases, contrary to its claim.
In total, 256,583 people were hit by the data breach, most of them customers of OrangeTee & Tie.
PDPC said OrangeTee & Tie had used “live” production data, which included personal data, for development and testing without having “sufficiently robust processes” to ensure the information was protected.
It said the company should instead have conducted a security assessment and used synthetic data, or information that is artificially generated.
The property firm also failed to conduct reasonable periodic security reviews of its servers – a standard practice that would have detected vulnerabilities arising from outdated software, PDPC added.
Two database servers were connected to Internet-facing Web servers, which exposed the personal data to security risks. OrangeTee & Tie did not recognise the risks posed by the outdated software and did not take steps to ensure that all Internet-facing servers were adequately protected, PDPC said.
The firm subsequently admitted that it did not consider the need for such security reviews in its information-technology security policy.
In determining the financial penalty, PDPC noted mitigating factors such as prompt remedial actions taken by the company and its cooperation during investigations.
PDPC added that while names and property transaction amounts were exfiltrated, it did not consider these categories to be highly sensitive, as such information can, to a certain extent, be found in the public domain.
For instance, property transaction amounts can be found via a search on the Urban Redevelopment Authority website for caveats lodged.
In response to queries from The Straits Times, an OrangeTee & Tie spokesman said: “While we are heartened that the authorities noted our prompt remedial actions, which included notifying affected individuals, OrangeTee takes this matter seriously.”
The spokesman said the company had ramped up its network and data security, and heightened its defence against future attacks.
“We are confident of our reinforced security measures, and will work hard to maintain our clients’ trust in our IT network.”
In February, the log-in credentials of about 1,200 people representing various organisations that use the services of ST Telemedia’s data centre operator were leaked onto a hackers’ forum.
A data breach at online marketplace Carousell had also exposed the personal information of 1.95 million users, or about 39 per cent of its user accounts in Singapore last October.
The Straits Times reported then that a database of user accounts, believed to be from the Carousell leak, was being sold on the Dark Web and hacking forums. THE STRAITS TIMES
Copyright SPH Media. All rights reserved.
