Injustice: Company fined just $54k USD for biggest data breach in the history of hotel industry

Singaporean authorities set a fine equivalent to only $54,000 USD against Commeasure, the company that owns the booking website RedDoorz after the platform leaked the information of nearly 6 million customers, in what became the biggest data breach the country has investigated.

This sanction was imposed through the Personal Data Protection Commission (PDPC), a body that determined that the company did not have adequate security measures to restrict unauthorized access and extraction of confidential data hosted in its systems.

Commeasure reportedly detected the data breach in September 2020, when a U.S.-based cybersecurity firm submitted a detailed report on a security incident, offering its services to address the consequences of the data breach.

The PDPC notes that the compromised information includes all kinds of personal details, such as:

  • Full names
  • Telephone numbers
  • Email addresses
  • Dates of birth
  • RedDoorz access credentials
  • Request history

Authorities determined that the leak does not involve financial details, although the bad news is that the compromised information is available for sale on an illegal hacking forum.

The flaws that caused the data breach have been around since the company’s inception, when an Amazon Web Services (AWS) access key was embedded in a package of its Android app, available on the Google Play Store. The app has been around since 2015 and was last updated in 2018, in a clear demonstration of security deficiency.

Using the AWS access key, an unidentified threat actor was able to access and extract the logs hosted in the cloud by RedDoorz. While the company tried to protect its customers’ information by employing an obfuscation tool, the attackers were able to reverse engineer Commeasure’s application. The company argues that it was unable to implement better security mechanisms due to a high level of employee turnover, although the PDPC dismissed this explanation. Although Commeasure could appeal the decision, but there does not seem to be sufficient arguments.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.