Singapore: PDPC issues SGD 74,400 fine to E-Commerce Enablers following data breach
On August 16, 2023, the Personal Data Protection Commission (PDPC) published its decision in Case No. DP-2009-B7056, in which it issued a fine of SGD 74,400 (approx. $54,600) to E-Commerce Enablers Pte. Ltd., for violations of Section 24 of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), following a security incident.
Background to the decision
In particular, the PDPC stated that, on June 4, 2019, an employee of E-Commerce Enablers inadvertently published an AWS encryption key to the company's servers on a private repository in GitHub. On September 9, 2020, the encryption key was used by a threat actor to access E-Commerce Enablers' database and exfiltrate personal data belonging to various customers. The stolen personal data was later offered for sale on an online cybersecurity forum.
Following the incident, the PDPC noted that E-Commerce Enablers adopted remedial measures including:
- deleting the compromised AWS key;
- reversing changes made by the threat actor;
- logging out all customers and resetting their passwords;
- monitoring logs to detect unauthorized access;
- separating development and production accounts;
- encrypting databases and securing access to systems and data with VPN and IP address whitelisting; and
- creating a platform for employee security suggestions/breach reporting.
Findings of the PDPC
The PDPC found that E-Commerce Enablers had breached its obligations under Section 24 of the PDPA to protect personal data in its possession or under its control, by:
- failing to implement secure processes to manage the AWS keys that granted access to the company's servers; and
- failing to conduct periodic security reviews to determine if the AWS keys had been compromised.
Furthermore, the PDPC noted that E-Commerce Enablers took 15 days to respond to the security breach and that the AWS key was exposed for 15 months. However, the PDPC also highlighted that E-Commerce Enablers cooperated with the investigation and admitted liability.
In light of the above, the PDPC imposed a fine of SGD 74,400 (approx. $54,600) on E-Commerce Enablers.