Singapore fines hotel booking site for disclosing 5.9 million records • The Register
Singapore’s Personal Data Protection Commission (PDPC) fined SG $ 74,000 ($ 54,456) on travel company Commeasure, which operates a travel booking website named RedDoorz which exposed 5.9 million customer data – the largest data breach handled by the Commission since its inception. .
The PDPC announced the sanction for “failing to put in place reasonable security arrangements to prevent unauthorized access and exfiltration of customer personal data hosted in a cloud database.”
RedDoorz started life in Indonesia before moving its operations to Singapore, from where it consolidates budget hotel reservations in select cities in Southeast Asia. A user selects a cheap hotel on RedDoorz based on photos, area and price, without always knowing the name or actual location of the hotel. When the traveler arrives, the hotel room experience is rebranded as RedDoorz and comes with certain guaranteed amenities, such as Wi-Fi, TV, and potable water.
Commeasure learned that there had been a data breach from its RedDoorz customers in September 2020, when an Atlanta-based cybersecurity company notified the parent company of a hack and offered repair services. Within a week, the travel tech company notified the PDPC.
The stolen data included names, phone numbers, email addresses, birthdays, encrypted RedDoorz account passwords and booking information. According to the decision of the PDPC, [PDF] the database did not include credit card numbers. The loot was listed for sale on a hacker forum.
The misstep that stole the data dates back to the days when the company was started, when an AWS passkey was embedded in an Android app package (APK) that was publicly available for download from the Google Play Store. The APK, created in 2015 and last updated in January 2018, was wrongly marked as a “test” key by developers at the time. It remained visible although it was considered “old” until the company was made aware of the violation in 2020.
With the AWS passkey in hand, criminals could access and exfiltrate customer records hosted in an Amazon RDS cloud database. RedDoorz attempted to protect the data – for example by hiring cybersecurity companies and using the Java Proguard obfuscation tool to prevent APK reverse engineering – but to no avail because the affected file was never rated. .
RedDoorz Founder and CEO Amit Samberwal said The register:
Commeasure told PDPC that the failure to implement processes robust enough to manage its inventory of infrastructure access keys was due to high staff turnover. It did not go well with the Commission. However, the regulator said it took into account the company’s cooperative behavior, corrective actions, ineffective but regular safety reviews and the unfortunate circumstances of being a hotel company in the midst of a crisis. pandemic, when it has decided on the financial sanction.
The Commission gave Commeasure 30 days to pay before interest started accruing. ®