Updated: Mar 3
IT vendor for schools Learnaholic and startup honestbee among 5 firms fined S$94,000 by PDPC
FIVE companies, including an IT vendor for schools and embattled startup honestbee, were fined a total of S$94,000 for breaching data privacy laws, the Personal Data Protection Commission (PDPC) announced in documents released on Thursday.
The largest fine of S$60,000 was imposed on IT services provider Learnaholic, for creating a vulnerability in a school's server in 2016 that was later exploited by a hacker to access the data of some 47,802 staff, students and students' parents of various schools.
Learnaholic had been providing attendance-taking systems to schools under a contract with the Ministry of Education. In March 2016, the company opened a port to remotely access a cluster of attendance controllers, but later forgot to close the port.
A file with a Learnaholic representative's email login credentials had also been inadvertently copied to the cluster where the hacker had access. The PDPC noted that the file "contained the proverbial keys to the kingdom". The hacker is believed to have thus accessed the representative's email account, where the unencrypted personal data was stored.
Learnaholic could not be reached for comment.
Meanwhile, grocery startup honestbee, which is currently undergoing a court-supervised restructuring, was fined S$8,000 for storing the data of about 8,000 individuals in the cloud without access restrictions.
Merchants that were working with or planning to work with honestbee for delivery had provided the startup with personal data of their customers in order to test its logistics platform, according to a summary of PDPC's decision.
honestbee had then stored the data - which included names, email addresses, residential addresses and mobile numbers - in its Amazon Web Services file repository. PDPC was informed on May 2 that the individuals' data was accessible to the public.
honestbee admitted that it had mistakenly stored the data in a bucket without access restrictions, PDPC said in the summary. Anyone with knowledge of AWS's command line could thus access the data.
honestbee has since blocked public access to the data and sent a report to its engineering team to prevent similar mistakes. It is also in discussions with cybersecurity companies to perform regular security audits on its systems, PDPC added.
"An internal investigation was done as soon as the matter was brought to our attention. The data was removed and access permissions were tightened. honestbee promptly and actively resolved the alleged breach," an honestbee spokesman told The Business Times, adding that the startup will pay the fine.
Of the three other companies: The Travel Corporation (TTC) was fined S$12,000; Chizzle, S$8,000; and i-vic International, S$6,000.
In TTC's case, an employee had lost a portable hard-disk containing unencrypted data of over 18,600 customers, employees and suppliers in July 2018. PDPC also later found that TTC had not appointed a Data Protection Officer (DPO) prior to the incident. The company has since stopped using portable storage devices and also appointed a DPO.
Chizzle, which operates an education tech app, suffered a cyberattack in July 2018 that compromised the data of over 2,200 users of the app. The data included names, dates of birth, genders, email addresses and some users' residential addresses and mobile numbers.
Chizzle had "failed to conduct any security review of its system" that might have reasonably prevented the breach, PDPC noted in its decision. The startup has since changed the IP address of its servers and switched to new hardware.
In i-vic's case, an error in the code for automated email generation caused documents containing the personal data of three individuals to be wrongly sent out to nine others. i-vic was processing claims and queries for the Employment and Employability Institute (e2i) on a work-trial programme.
The documents contained the names, NRIC numbers, signatures, residential addresses, mobile numbers, email addresses, age and race of the three individuals, as well as two of the individuals' bank account numbers, and the academic and work details of one individual.