On Data Protection Management: The Razer and Capgemini Incident
What we know so far
Razer, a gaming company, has filed a lawsuit against a vendor following a cybersecurity breach that exposed confidential information about its customers and sales to the public.
The data leak, which occurred over a three-month period from June to September 2020, made headlines when a security researcher revealed that the personal information of approximately 100,000 Razer customers could have been compromised.
Razer claims it has lost approximately $6.85 million in profit from its online website as a result of the data breach. With this, Razer is suing for unquantified monetary damages for profit losses resulting from the rejection of its digital bank license application.
Mr. Argel Cabalag, a Capgemini employee, caused the cybersecurity breach when an issue arose in Razer’s internal IT system, according to Razer.
Razer employing an IT vendor
Capgemini recommended Razer the ELK Stack platform. It collects and analyses vast quantities of data from numerous sources, storing it in a centralised data repository. Capgemini is a “reliable and respected partner” for IT solutions, according to Razer. With Capgemini’s assistance in setting up and configuring the system, Razer agreed to use the ELK Stack in its IT system at Capgemini’s proposal.
Additionally, Razer hired Mr. Argel Cabalag to be stationed at its headquarters and serve as a subject matter expert.
On June 17 and 18, 2020, Mr. Cabalag examined a problem with Razer’s ELK Stack. Employees of Razer were unable to log in and resolve the issue on their own. Mr. Cabalag was the only one to troubleshoot the ELK Stack and rectified the issue within a day.
He was also the sole person with the skills and expertise to access and modify a configuration file on Razer’s server, and he reported to the Razer staff shortly after the 16-minute window that everything was alright.
Security Misconfiguration discovered
Upon discovering the security breach, a bug bounty hunter or a white hat hacker found the data leak due to a security misconfiguration. This was caused by the ELK Stack’s security settings being manually disabled.
This now became the reason why a data leak occurred and made the ELK Stack vulnerable to cyberattacks and breaches, which could have resulted in further damage from public backlash and PDPA penalties that could range up to S$1,000,000.
Similar to the bug bounty that found the data leak, Privacy Ninja has also performed numerous pentests on its clients’ networks and infrastructure and can conclude that it’s common to find security misconfigurations to lead to security lapses.
This doesn’t mean that the IT personnel or vendors of the clients hate Privacy Ninja when we discover vulnerabilities, but in another way, they learn from our reports and, moving forward, can better configure and harden other clients’ systems.
Data Protection Management: Liability of the vendor under the PDPA
A vendor can be liable under the PDPA in case of protection obligation breach if it is a data intermediary of its organization.
The PDPA defines a “data intermediary” as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;”
The PDPA non-exhaustively defines “processing” as the carrying out of any operation or set of operations in relation to personal data, and includes any of the following:
(c) organisation, adaptation or alteration;
(g) erasure or destruction;”
In engaging a vendor, to make sure that security misconfiguration does not happen in the future, a good practice is to set out guidelines on how the vendor operates in the organisation’s systems. This way, whenever changes are made that could harm the organisation, it can be reviewed by it to assess if security arrangements are met.