Century Evergreen, a corporation specializing in manpower services, has incurred a fine of $9,000 from Singapore’s data privacy regulatory body. This penalty was imposed due to a vulnerability that led to the unauthorized acquisition of identification documents belonging to 23,940 individuals from the company’s website.
The aforementioned documents encompassed visual representations of their national registration identity card, commonly referred to as NRIC.
According to the Personal Data Protection Commission (PDPC), a total of 96,880 photos of these papers were downloaded from the firm’s website within three days in December of last year.
The company, which provides temporary workers to many sectors within this locality, mandates that prospective employees present identification documents as a means of verifying their identity and assessing their fitness for employment.
The discovery of the leak was made by an unidentified individual who saw that the papers’ photos were openly accessible on the company’s website. Subsequently, a complaint was filed with the Personal Data Protection Commission (PDPC) on December 11, 2022.
After conducting investigations, the PDPC revealed that the company acknowledged the presence of a vulnerability that enabled an unidentified party to gain access to personal data by changing the website’s address. This vulnerability has been there since the website was first launched in 2015.
The organization also acknowledged that, in addition to performing functionality testing during the website’s launch, it did not establish any agreements with its information technology vendor to conduct security tests before or following the launch.
According to the report issued by the Personal Data Protection Commission (PDPC), the firm’s lack of implementation of adequate security measures to safeguard personal data is deemed as an instance of “gross negligence.” This assessment is based on the extended duration of non-compliance spanning from 2015 to 2022.
According to the PDPC, the determination of the financial penalty was based on various considerations, such as the firm’s voluntary acknowledgment of the violation, its rapid efforts to address the vulnerability, and its unsatisfactory performance in the latest fiscal period.
Additionally, it acknowledged that other than performing functionality testing during the website’s debut, no provisions were made with its information technology vendor to carry out security testing before or following the launch.
NVIDIA Corp is a semiconductor company that designs graphics processing units (GPUs) for the gaming, cryptocurrency mining, and data center markets. The company’s stock has been on a tear in recent years, with its share price rising by more than 1,000% since the beginning of 2020.
According to the report issued by the PDPC, the firm’s lack of implementation of adequate security measures to safeguard personal data is deemed as an instance of “gross negligence,” considering the prolonged duration of non-compliance spanning from 2015 to 2022.
According to the PDPC, the determination of the financial penalty was based on a thorough evaluation of many aspects. These elements encompassed the firm’s voluntary acknowledgment of the breach, its expeditious efforts to rectify the vulnerability, and its unsatisfactory performance in the latest fiscal period.
In an independent incident, Autobahn Rent A Car, a car rental company, incurred a fine of $3,000 from the PDPC (Personal Data Protection Commission) after the unauthorized access to its system. This breach led to the illicit acquisition and subsequent sale of 53,000 personal data sets on a cybercrime forum.
The security breach involved the unauthorized access of an active administrator account that had not been revoked, granting the hacker entry into the database of Shariot, the car-sharing service operated by the company. According to the PDPC’s statement on Wednesday, an incident occurred wherein a pornographic image replaced an image on Shariot’s mobile application.
On September 24, 2022, the company received a notification regarding the photos from a consumer through their feedback system.
Subsequently, the organization successfully linked the photograph back to an administrator account previously associated with a former employee, despite the employee’s departure in May 2022. Notably, the account had not been revoked.
It was discovered that the ex-employee had received an electronic communication from an unidentified sender on September 10, 2022, wherein it was communicated that their portable computer had been compromised and a request for payment in the form of Bitcoin was made.
Utilizing the administrative credentials of a previous employee, the perpetrator illicitly acquired a duplicate of the personal information about the users of Shariot.
On October 21, 2022, a notification was received from a provider of cyber-security solutions, informing the corporation that a database known as Shariot, which contains personal data, had been made available for purchase on a forum dedicated to criminality. The dataset comprised individuals’ names, email addresses, mobile phone numbers, NRIC numbers, and basic geographical data about areas like as Bishan and Toa Payoh.
The organization promptly notified the Personal Data Protection Commission (PDPC) of the personal data breach on the same day.
After the occurrence, the organization undertook an internal examination of its administrator accounts, implemented system enhancements to obfuscate National Registration Identification Card (NRIC) numbers, revealing only the final four characters, and carried out training initiatives.
According to the PDPC, the corporation acknowledged its failure to establish adequate security measures for preventing unauthorized access or disclosure of personal data under its possession or control.
The corporation acknowledged that the hack may have been prevented had it adopted multi-factor authentication as an additional security measure for administrative accounts with access to its extensive user database.
The Personal Data Protection Commission (PDPC) stated that a monetary sanction was levied due to the personal data breach, which was deemed to be non-trivial.
