On 16 September 2014, a list containing the personal data of 317,000 K Box customers leaked onto pastebin.com. The cause of the leak was never discovered. Nonetheless, this incident triggered an investigation by the Personal Data Protection Commission (“PDPC“).
On 20 April 2016, K Box was fined $50,000 and its vendor Finantech was fined $10,000 for breaches of the Personal Data Protection Act (“PDPA“).
K Box was found to have failed to put in place reasonable security arrangements to protect its customers’ personal data. It had also failed to implement policies and procedures to comply with its obligations under the PDPA and to make information about its policies and procedures publicly available.
So what went wrong?
1.Use of weak passwords
The PDPC found that K Box permitted its staff to use weak passwords, notwithstanding that stronger ones were supposed to be used. As the PDPC observed:
K Box did not “conduct audit on whether the staff really use eight numbers/letters
alphanumeric, one capital and one special case password (sic.)”
2. Weak control over unused accounts
K Box failed to ensure that it deleted the accounts of staff who left the company until after the massive leak of its customers’ data. As a result, a Customer Management System (CMS) account with the user name ‘admin’ and a weak password of ‘admin’ was used for more than a year.
Multiple unauthorised accesses to the CMS system were made using this “admin” user account.
The unused user accounts also left the CMS system vulnerable to hacking.
3. Failure to use updated software and conduct security audits.
K Box’s CMS system contained at least 9 known security vulnerabilities. This could have been prevented by updating the software but neither K Box nor Finantech did so.
K Box also failed to conduct audits to supervise the security of its database and system.
4. Poor practices regarding transfers of personal data
Emails containing large volume of personal data were sent via Gmail without any password-protection or encryption.
5. Poor management of K Box’s IT vendor, Finantech
K Box failed to effectively manage its vendor, Finantech, to ensure that they undertook adequate measures to protect its members’ personal data.
6. No comprehensive privacy policy
Prior to the pastebin leak, K Box failed to implement a comprehensive privacy policy.
There was no policy and physical or online security system in place to monitor whether a staff removed personal data from its premises.
Furthermore, K Box had not appointed a data protection officer (even as late as 20 April 2015).
7. Lapses by Finantech
The PDPC observed that Finantech had failed to put in place the required security measures that K Box needed in order to provide adequate protection for the personal data in K Box’s database and system.
The Candoer Group empowers SMEs operationally with streamlined solutions in complex situations. We provide corporate secretarial, book keeping and tax filing services for Singapore based SMEs.
We can arrange for legal services to be provided through our alliance with Peter Low LLC. We also work with our partners at Wrike to implement collaboration solutions suitable for your needs.
For further enquiries, please contact us below:
