Real estate firm OrangeTee & Tie fined for data breach involving 250,000 customers and employees
A hacking group exploited vulnerabilities in the company's web servers and got access to 11 databases that contained personal data.
The OrangeTee & Tie building in Toa Payoh. (Photo: Google Maps screenshot)
SINGAPORE: Real estate agency OrangeTee & Tie has been fined S$37,000 by Singapore’s privacy watchdog after the personal data of more than 250,000 customers and employees was compromised.
Names, bank account numbers, property transaction amounts, as well as identity card numbers were extracted from outdated database servers by a cybercrime group in 2021.
In a written judgment released on Monday (Apr 17), the Personal Data Protection Commission (PDPC) found several lapses on OrangeTee & Tie’s part that led to the data breach.
These included failing to conduct reasonable periodic security reviews prior to the incident in 2021, as well as using “live” data for development and testing purposes without proper safeguards in place.
WHAT HAPPENED
On Aug 3, 2021, OrangeTee & Tie received a ransom demand email from ALTDOS, a threat actor group that has claimed to have hacked multiple companies in Southeast Asia.
The group claimed they had been hacking OrangeTee & Tie’s network since June 2021. The ransom demand also contained video footage of five databases purported to have been stolen.
ALTDOS demanded a ransom of 10 Bitcoins for the safety and non-disclosure of the databases. OrangeTee & Tie then filed a police report and reported the data breach to a division of the Cyber Security Agency of Singapore, which falls under the Prime Minister's Office.
When ALTDOS did not receive the ransom, it carried out a distributed denial-of-service attack that brought down OrangeTee & Tie’s network.
It also sent another ransom demand via email and the WhatsApp messaging service to some of the company’s employees.
OrangeTee & Tie engaged a private forensic expert who discovered that ALTDOS had accessed 11 databases, containing the personal data of 256,583 customers and employees.
According to the PDPC’s judgment, this unencrypted personal data was stored on two database servers. One of these servers was directly accessible from the internet, while the other was linked to another server that was also internet-facing.
ALTDOS had exploited vulnerabilities in the servers, which were running an outdated service pack that Microsoft had ceased support for.
COOPERATED DURING INVESTIGATIONS
The PDPC found that OrangeTee & Tie breached its protection obligation under the Personal Data and Protection Act in two ways.
It had used “live” production data, including personal data, for development and testing purposes without sufficiently robust processes in the form of a security assessment.
Without such an assessment, OrangeTee & Tie could not make an informed decision on whether its security arrangements to protect the personal data were reasonable, or needed to be improved.
A safer practice would be to use anonymised data for testing purposes, said the PDPC.
OrangeTee & Tie had also failed to conduct reasonable periodic security reviews, which should be a basic practice to identify and correct any vulnerabilities, the PDPC added.
OrangeTee & Tie subsequently admitted that it had not considered the need for such reviews in its IT security policy.
In deciding what financial penalty to impose, the PDPC considered mitigating factors such as the company taking prompt remedial actions.
It immediately shut down and isolated the affected servers from the rest of the IT network and updated its servers with the latest security patches.
It also notified those affected, cooperated during investigations and voluntarily admitted to breaching its protection obligation, said the PDPC.
The PDPC added that while names and property transaction amounts were exfiltrated, it did not consider these categories to be highly sensitive since it was already in the public domain to a certain extent.
For example, a member of the public can look up names through a land titles search on the Singapore Land Authority's website.
In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.
