PDPC investigating security vulnerability on Chan Brothers website

PDPC investigating security vulnerability on Chan Brothers website

Chan Brothers website screengrab
Screengrab of Singapore travel agency Chan Brothers' website.

SINGAPORE: The Personal Data Protection Commission (PDPC) said Friday (May 24) it is investigating a security lapse on Chan Brothers Travel's  website which left some personal data of its customers vulnerable to potential exposure.

The vulnerability was discovered by Mr Andrew Goh, who works in the financial technology industry. He told CNA on Thursday that because of a security flaw, he was able to see the booking records and enquiries made by some customers on the Chan Brothers Travel Club webpage

The co-founder of local fintech start-up Factors Platform said he stumbled on the security flaw while doing some research work trying to “scrape” user reviews to predict sales and bookings, and their possible effects on share prices. In doing so, he realised the webpage was “not properly configured” and the permission access was not set correctly.

The customer information which was accessible also included email addresses, phone numbers and NRIC numbers. CNA was also able to view such data when it repeated the techniques used by Mr Goh.

After he discovered the vulnerability, Mr Goh reported it to Chan Brothers.

In response to CNA's queries, Chan Brothers' head of marketing communications Jane Chang said the company had taken action as soon as it became aware of the vulnerability.

"We immediately took action to address the matter including containing the extent of vulnerabilities, assessing the extent of impact and reporting the incident to PDPC. Some of the measures undertaken require continual monitoring, review and action as it involves information that has been publicly cached," she said.

She added that the site has been shut down.

"We are reviewing protection and prevention measures and putting in place operational and policy-related measures, including tightening IT-related security measures and implementing more system monitoring controls," she said, adding that the company deeply regrets that this occurred and takes full responsibility.

"We would like to assure our customers that no sensitive booking and financial information was revealed. That said, we recognise that no personal data should be exposed at all, in any manner and that it is our responsibility and priority to protect our customers’ personal data, said Ms Chang.

Chan Brothers is working with its vendor Aodigy Asia Pacific to investigate the incident.

Source: CNA/kk(cy)