Firm failed to carry out periodic security reviews, says privacy watchdog
Real estate firm OrangeTee & Tie has been ordered to pay $37,000 following a data breach in the company that compromised the information of over 250,000 employees and customers.
OrangeTee & Tie was first made aware of the cyber-attack on August 3, 2021, after an organisation that identified itself as "ALTDOS" demanded a ransom of 10 Bitcoins from the company.
The group claimed they had stolen "hundreds of databases," including sensitive information, from the real estate firm. In the same message, they provided video footage of the databases that they allegedly stole.
ALTDOS threatened to leak the databases they stole if the ransom was not met.
In response, OrangeTee & Tie reported the incident to the Singapore Computer Agency Response Team.
By August 4, 2021, the Personal Data Protection Commission (PDPC) contacted the real estate firm after they received information that its databases were stolen.
On the same day, ALTDOS also carried out a Distributed Denial-of-Service attack that took down OrangeTee & Tie's network, while sending additional ransom demand via email and WhatsApp to its employees.
By August 6, 2021, OrangeTee & Tie informed the PDPC of an incident that involved unauthorised access to its IT network. It also informed the public of the incident.
A private forensic expert (PFE) hired by OrangeTee & Tie found that ALTDOS exfiltrated personal datasets from eleven databases, which contained data of over 250,000 employees and customers.
As per the investigation of the PDPC, the name, bank account number, as well as passport number of 305 employees were compromised.
The name, bank information, passport number of over 10,500 agents were also put at risk, while the names, passport numbers, and property transaction amount of over 245,000 customers were compromised.
"The PFE's investigations found that the threat actor had carried out certain web-based attacks and exploited vulnerabilities on the Web Servers to successfully exfiltrate databases from the outdated Database Servers," the PDPC said.
As a result of the breach, OrangeTee & Tie has been ordered to pay $37,000 by the PDPC.
The PDPC said the organisation used "live" production data for development and testing purposes "without sufficiently robust processes to protect the personal data through proper safeguards."
The real estate firm also failed to conduct reasonable periodic security reviews.
In coming up with the penalty, the commission also considered several mitigating factors, such as the real estate firm taking prompt remedial actions as well as being cooperative in the investigation.
The PDPC also acknowledged that the firm voluntarily admitted that it had breached the Protection Obligation in failing to protect personal data in possession.
The nature of the compromised data that ALTDOS stole were also considered.
"Whilst the Commission took the exfiltration of such personal data into account in its decision, it does not consider these categories to be highly sensitive in nature as this information is, to a certain extent, already in the public domain," the PDPC said.
According to the commission, the compromised information is "publicly available" as defined in the Personal Data Protection Act 2012, given that any member of the public could look up such information.