You are here

ION Orchard fined S$15,000 over customer data breach

The company that manages ION Orchard was on Thursday (Jul 6) fined S$15,000 by the Personal Data Protection Commission (PDPC) over a breach involving the personal data of its customers, writes channelnewsasia.com.

In the incident, which took place on Dec 26, 2015, an unknown perpetrator used valid admin account credentials to log in to a server that held personal customer data.

The person sent unauthorised emails to 24,913 subscribers of the mall's loyalty programme mailing list, promoting "free" ION+ Reward points.

The e-mails contained a link which directed the subscriber to an online advertisement website. The subscriber would then be prompted to select one of several options to obtain the bogus reward points. If any of the options were selected, the person would then be directed to more pages requesting personal data, such as the person's mobile phone number or email address.

The organisation emailed subscribers the next day and again a few days later warning them about the incident.

The PDPC said that Orchard Turn Developments - which is the property manager for ION Orchard - had failed to make reasonable security arrangements to protect the personal data of its members.

It said that the system setup used to run ION's loyalty programme unnecessarily "increased risk", and that the organisation did not have adequate policies to protect admin account passwords.

 

"There was no evidence of hacking or that the perpetrator had deployed any brute force attacks," the PDPC said in its grounds of decision. It added that this suggested it was likely that the perpetrator had managed to get hold of valid admin account credentials to gain access to the servers.

It found that Orchard Turn Developments did not have any policy to prohibit the sharing of admin account credentials, or to enforce the periodic expiry and renewal of these. Instead, it had only one admin account, which was shared among four authorised users.

The admin account password had also not been changed from November 2014 until the time of the data breach in December 2015.

As well as the S$15,000 fine, Orchard Turn Developments was also told to patch vulnerabilities and tighten its data protection policies and practices.