The Privacy and Data Protection Commission (PDPC) has fined Eatigo S$62400 for a data breach that resulted in the sale of 2.8 million users' personal information, marking its highest-ever cyber security penalty ever levied by the agency.

These fines were assessed due to an illegal breach of Eatigo's database between 2018 and 2020. Hackers gained access to usernames, email addresses and Facebook ID numbers.

The PDPC’s judgment

Recently, the Personal Data Protection Commission (PDPC) issued a judgment concerning Eatigo's data breach which resulted in the sale of 2.8 million users' personal information on an online forum. As punishment, PDPC fined Eatigo S$62400 for failing to protect customers' private information.

The PDPC concluded that eatigo's data breach was caused by multiple errors on its part. The company failed to properly categorize and track personal data assets, leaving the database open to unauthorised access for an extended period. Furthermore, eatigo obstructed investigations by responding in an "uncooperative and evasive manner" to requests to produce specified documents.

Eatigo failed to implement security audits of its IT infrastructure, leading to the exfiltration of data. Furthermore, the company lacked an effective incident management process and neglected to assess how customers would be affected by this breach.

Thankfully, eatigo took steps to mitigate the damage. It notified affected individuals and offered free credit monitoring services. Furthermore, it conducted a security review and hired a new chief technology officer from an alternative cultural background so that it could better respond to security incidents.

Mr Yeong, PDPC's Deputy Head of Enforcement, claimed that eatigo had not adequately safeguarded its users' personal data against unauthorised access and exfiltration for an extended period. As a result, someone gained illegal access to the database which was then sold on an online forum in October 2020.

Although the data breach only affected a fraction of eatigo's user base, it was still an alarming incident that put consumers' trust and privacy at risk. The Privacy Rights Clearinghouse (PDPC) has issued guidelines to help companies better comprehend their obligations under the law and take appropriate steps to address data breaches.

In addition to imposition of a fine, the PDPC's judgment offers valuable insights into what could have caused a data breach. It also highlights key lessons learned from this and other similar incidents which companies can use as guides in preventing future breaches of users' personal data.

eatigo’s response

On an online forum, 2.8 million users' personal data from Eatigo restaurant reservation app was sold. This incident serves as a warning that hackers are hungry for personal information.

Eatigo is a time-based discount app that connects diners with restaurants offering discounts of up to 50%. It operates across Thailand, Singapore, Malaysia, Hong Kong, India, Philippines and Indonesia, having served over 5 million diners so far.

In an email sent out to customers entitled "Data Security Incident - 2.8 Million", the company revealed that their database of customer information had been illegally accessed. This included customers' names, email addresses, phone numbers and passwords.

Eatigo said it took steps to mitigate the impact of the leak, including notifying affected individuals and appointing a senior executive to lead data protection efforts. It also re-established its network security policies and conducted training on data protection and social engineering prevention techniques.

However, the PDPC concluded that eatigo's response to the breach was inadequate. It left its legacy database "vulnerable for an extended period" and failed to monitor data leakage, hindering its capacity for quick reaction.

On March 10, the Public Discipline and Punishment Commission (PDPC) fined Eatigo S$62400 for failing to put in place reasonable security measures that would safeguard its users' personal data. Mr Yeong Zee Kin, PDPC Deputy Commissioner, wrote in his written judgment released that day:

This data breach is particularly serious, serving as a stark reminder that organisations with significant personal data assets must regularly assess the state of their systems and processes to guarantee they remain protected. To this end, organizations must maintain an accurate and up-to-date personal data asset inventory.

Particularly for e-commerce businesses, the number of data breaches per month has demonstrated how important it is that companies remain vigilant and take appropriate action to safeguard their clients' digital identities. This is especially relevant when dealing with sensitive personal data like credit card details or passwords.

PDPC’s findings

In October 2020, Eatigo was notified by the Personal Data Protection Commission (PDPC) that an online forum was selling personal information belonging to a significant number of its users, in violation of the Personal Data Protection Act (PDPA). This constituted an unlawful breach of PDPA regulations.

According to the Privacy Data Processing Commission (PDPC), Eatigo's investigation revealed that personal data listed for sale on its forum matched up with a legacy database of user records. Unfortunately, Eatigo had lost track of this database in late 2018, leading them to notify affected customers, update its network security policies, and offer training on data protection and social engineering prevention techniques.

However, the PDPC found eatigo had made several significant errors in its data protection practices, such as leaving its database vulnerable to unauthorised access and exfiltration for an extended period. Furthermore, it obstructed investigations by acting "uncooperative and evasive" when asked for specific information and documents.

Finally, eatigo's failure to implement basic data protection processes constituted a violation of the PDPA. It failed to conduct a security audit of its IT infrastructure and did not have written data protection policies or procedures in place.

The PDPC assessed Eatigo an administrative fine of S$62400 for its failure to adhere to data protection requirements, which it deemed a serious breach of the Privacy Data Processing Act (PDPA). This penalty is based on a company's annual turnover and intended as punishment.

With today's rapidly digitising world, it is becoming more essential than ever that your business not only complies with the PDPA but is also well-protected against data breaches. Implementing a robust cyber security and data protection strategy at your organisation - including policies and procedures, data loss prevention measures, identify/access management techniques and GDPR adherence - cannot be put off until later.

Singapore's e-commerce and online retail markets continue to expand, creating more potential for data breaches and cybersecurity incidents. To combat these dangers, organisations are expected to enhance their data protection and cyber security strategies with assistance from an experienced IT consultant.

PDPC’s decision

The Personal Data Protection Commission (PDPC) fined Singaporean restaurant reservation platform eatigo S$62400 for a data breach that resulted in the sale of 2.8 million users' information. The PDPC found that eatigo had failed to implement adequate security measures to protect users' personal data and had neglected to monitor exfiltration attempts, hindering its ability to act quickly and minimize harm caused by this leak.

The PDPC also discovered that the company had neglected to perform basic data security processes and implement security audits of its IT infrastructure, which could have prevented the leak from occurring in the first place.

Mr Yeong noted Eatigo had hindered investigations by responding in an "uncooperative and evasive manner" to PDPC requests for specific information and documents. The company claimed it misinterpreted their inquiries, with its new chief technology officer coming from a different cultural background hesitant to provide sensitive data to the PDPC.

In the end, PDPC upheld the fine and found that restaurant booking website had failed to implement adequate security measures to safeguard users' personal information. Specifically, it left its database "vulnerable to unauthorised access and exfiltration for an extended period"

At the same time, it failed to respond promptly to PDPC inquiries about how the database was acquired and sold, as well as disregarding requests to implement data protection policies.

Furthermore, it lacked an effective incident response management system and showed insensitivity to patients' privacy. Furthermore, it failed to notify the PDPC about the incident promptly or refer it directly to an independent expert responsible for cyber security matters.

If a business is found to have violated the data protection provisions under the Personal Data Protection Act, PDPC can take actions such as terminating any collection, use or disclosure of personal data in its business operations and imposing a financial penalty of no more than S$1 million.