Eatigo fined S$62,400 for data breach leading to sale of 2.8 million users’ personal data
The restaurant reservation platform lost track of the database when it migrated to its current online platform in 2018.
SINGAPORE: Restaurant reservation platform eatigo has been fined S$62,400 after a database containing the personal data of around 2.8 million users was put up for sale on an online forum.
Names, emails, telephone numbers, encrypted passwords, Facebook ID numbers and tokens – which allowed access to users’ Facebook and eatigo accounts – were affected in the data breach.
The company had effectively lost track of the legacy database when it migrated to its current online platform in 2018, said Deputy Commissioner of the Personal Data Protection Commission (PDPC) Yeong Zee Kin in a written judgment released on Friday (Mar 10).
The data leak only came to the authority's attention in October 2020.
The PDPC found that the company had failed to implement reasonable security arrangements to protect its users' personal data.
Eatigo had left the database “exposed to a risk of unauthorised access and exfiltration for a protracted period of time”, Mr Yeong wrote. It also impeded investigations by responding in an "uncooperative and evasive manner” to the PDPC’s notices to produce specified information and documents.
Furthermore, eatigo did not implement basic data protection processes or conduct security audits of its IT infrastructure, which might have led to the discovery of the leaked database.
Related:
WHAT HAPPENED
In October 2020, a third party notified the PDPC about an online forum that was selling personal data from various e-commerce sites around the world.
The same post in the forum listed for sale personal information from 1.1 million RedMart accounts. The grocery delivery service, which is owned by e-commerce platform Lazada, was fined S$72,000 last year.
According to the post, the eatigo accounts affected were in Singapore, Hong Kong and Thailand.
Eatigo began investigating when it was informed of the data breach by the PDPC, a user as well as a CNA journalist. It found that the personal data for sale matched the structure of a legacy database containing user data as of late 2018.
The database was last updated then, and was hosted on the infrastructure of a cloud service provider in Singapore.
Eatigo then moved to its current online platform, a process which involved a complete redevelopment of data storage of infrastructure.
The company kept the database to support the migration of data to the new platform, but it transitioned to a new engineering team and did not conduct a proper handover, which meant the team did not know about the database.
The firm’s former chief technology officer had resigned a few months ago, along with various engineers whom he recruited.
The database was also not included in eatigo’s virtual private network infrastructure after the migration.
Eatigo was unable to determine exactly when the threat actor illegally gained access to the database, but this likely happened between 2018 and 2020 when the data was put up for sale.
During this period, the database was accessible from the Internet. Anyone who had the requisite credentials could access it too, but no eatigo employees had these credentials or knew about the database.
When the database was put up for sale, the personal data of 154 eatigo users were displayed in the forum post. This included the Facebook ID numbers and tokens of around 10 users.
Eatigo then implemented a slew of remedial actions, such as securely backing up and deleting the database. Affected individuals were also notified, while staff were updated on network security policies and given training on data protection and social engineering prevention.
"HONESTY IS THE BEST POLICY"
In his judgment, PDPC’s Mr Yeong laid out multiple lapses on eatigo’s part.
Organisations with substantial personal data assets must maintain an accurate and up-to-date personal data asset inventory, which will ensure they know what their assets are even with staff turnovers, Mr Yeong said.
Since the database was effectively forgotten about, eatigo did not monitor the exfiltration of data, which impeded its ability to react swiftly to mitigate the effects of the data leak.
Mr Yeong added that eatigo’s “poor knowledge management” frequently led to it “providing inconsistent, extraneous and dilatory responses” to the PDPC’s notices to produce specified information and documents relating to eatigo’s access models.
This caused the PDPC to expend “substantial time and resources to seek various rounds of clarifications” with eatigo.
This was among the aggravating factors listed in deciding what financial penalty to levy on eatigo.
Mr Yeong wrote: “Organisations that are uncooperative and that throw up objections will only prolong investigations. The Commission will not be deterred by such tactics.
“If, as is possible in this case, the organisation did not have the information or needed more time to recover the information, honesty is the best policy,” he added.
“Hiding behind vague notions like ‘additional security risks’ without providing details can and will be interpreted as cavalier and obstructive, and will be taken as an aggravating factor when the eventual outcome is determined.”
COVID-19 AFFECTED BUSINESS: EATIGO
When the PDPC notified eatigo in 2021 of its preliminary decision to impose a financial penalty, eatigo argued for a warning or a lower fine.
According to the judgment, the company said it did not intend to impede investigations, but was instead “hampered due to diminished corporate knowledge” of the database and the impact of the COVID-19 pandemic on its management and operations.
It also argued that it misunderstood the PDPC’s queries, and its new chief technology offer was from a different cultural background and thus reluctant to provide sensitive data to the PDPC.
Mr Yeong, however, rubbished these arguments.
As for the impact of the data leak, eatigo said it was limited due to factors such as the company not collecting NRIC numbers, birth dates or sensitive financial data like credit card details. The login passwords that were leaked were encrypted as well.
The PDPC accepted eatigo’s representation that a higher penalty would likely lead to the company’s closure.
Among other indications, its monthly income statements from 2021 indicated that it was incurring heavy net losses on a month-to-month basis. It also had various substantial short-term loans due in the near future.
"In view of this situation, the Commission shall refrain from imposing a financial penalty that might push the organisation’s business even closer to the brink," said Mr Yeong.
Eatigo will have to pay the penalty in 12 monthly instalments.