Excerpt from Marketing Interactive Article, Published on Aug 30, 2024.
The Consumers Association of Singapore (CASE) has been fined SG$20,000 for a significant data breach, highlighting the importance of stringent data protection measures. The Personal Data Protection Commission (PDPC) found CASE in violation of key protection and accountability obligations under the Personal Data Protection Act (PDPA). CASE’s failure to implement adequate security measures resulted in two major incidents in October 2022 and June 2023, compromising the personal data of thousands of individuals.
In the first incident, a threat actor accessed CASE’s email accounts, sending phishing emails to consumers. These emails falsely informed consumers that their complaints had been escalated and requested their banking details for compensation, leading to financial losses amounting to SG$217,900. Investigations revealed that the attacker likely obtained login credentials through a phishing attack on a CASE employee. The investigation also uncovered that some of CASE’s computers were running outdated operating systems without security updates.
During the PDPC’s ongoing investigation, a second incident occurred in June 2023, where phishing emails were sent reproducing consumers’ complaints. Although the exact method of this breach remains undetermined, PDPC’s findings indicated that CASE had insufficient password management policies and lacked proper logging and monitoring practices to detect suspicious activities.
As a result, CASE was ordered to pay a fine of SG$20,000 and was directed to rectify security gaps, update its data protection policies, and enhance its overall IT infrastructure. CASE has acknowledged the PDPC’s decision and committed to improving its security measures to prevent future breaches. This case underscores the critical need for organizations to uphold robust data protection standards to safeguard consumer information.
To delve deeper into this topic, please read the full article on Marketing Interactive.
