MyRepublic ordered to pay S$60,000 for failing to protect personal data of 80,000 customers
The access key to obtain MyRepublic's customer data could be found on a publicly accessible webpage.
SINGAPORE: MyRepublic Singapore has been ordered to pay a financial penalty of S$60,000 for failing to protect the personal data of almost 80,000 customers in a cyber incident last year.
The Personal Data Protection Commission (PDPC) on Thursday (Sep 15) published its decision containing the findings of its investigation into the incident.
The data breach took place on Aug 29, 2021. Local telco provider MyRepublic received an email from an external actor threatening to publish the stolen customer data unless a ransom was paid.
MyRepublic informed PDPC of the attack on Sep 1, 2021, and announced it publicly on Sep 10, 2021.
Personal data belonging to more than 75,000 Singaporeans and permanent residents was stolen during the breach, in the form of scanned copies of both sides of their NRICs and work pass cards.
Scans of residential address documents belonging to more than 4,300 foreigners, and forms from more than 3,600 customers porting over mobile services, which contained their full names and mobile numbers, were also compromised.
At the time of the incident in August 2021, MyRepublic accepted customer orders for mobile services through its mobile order portal, according to PDPC's findings.
The portal stored customers' identity verification and mobile number porting documents in a "bucket" on cloud storage provided by Amazon Web Services (AWS).
The bucket was publicly accessible, but protected by an access key. Investigations found that the external actor used the access key to access the bucket.
"Fortunately, the compromised access key could not be used by the external actor to access (MyRepublic's) other AWS accounts, systems or buckets," said PDPC.
"However, an unusually large volume of data had been downloaded from the bucket before it was deleted."
PDPC noted that MyRepublic controlled a high volume of sensitive personal data and should have implemented stronger security measures to protect it. It identified multiple failures by the telco to protect the access key.
According to MyRepublic, the bucket's access key could be found on a publicly accessible webpage displaying technical information used by programmers, known as "PHP info".
"This was a significant vulnerability as anyone who knew or could guess the php-info URL could obtain the access key and use it to access the customer data in the bucket," said PDPC.
The commission noted that MyRepublic had determined this was the most likely way that the external actor had obtained the access key.
Instead of leaving the access key publicly accessible, MyRepublic should have disabled the "PHP info" function or moved the access key to files that were only available to authorised individuals, said PDPC.
According to MyRepublic, the access key was also embedded in the source code of the mobile order portal, which was available to all of the telco's developers.
The external actor could have obtained the access key in this way, or a developer could have inadvertently disclosed it, said PDPC.
The commission also said that the access key was "captured in the clear" in mobile order application log files made available to employees, including external developers and engineers, who did not require such information.
Furthermore, given the high volume and sensitivity of the customer data stored in the bucket, it should not have been publicly available, added PDPC.
In deciding on the penalty, the commission said that MyRepublic took prompt and effective remedial actions, cooperated with investigations and voluntarily accepted liability.
The remedial actions included replacing the access key, removing environment configuration files that exposed the access key and restricting access to buckets to specific IP addresses.
MyRepublic notified affected customers and recommended actions to minimise the risk of identity fraud and social engineering, said PDPC. It also offered affected customers six months of complimentary credit monitoring services.
The telco also conducted a month of dark web monitoring until Oct 3, 2021, to verify whether the stolen data was published.