Categories: Resources

On Data Protection Management: The Razer and Capgemini Incident

Data Protection Management
A good Data Protection Management will save organisations a whole lot of money paying for penalties for breaches.

On Data Protection Management: The Razer and Capgemini Incident

What we know so far

Razer, a gaming company, has filed a lawsuit against a vendor following a cybersecurity breach that exposed confidential information about its customers and sales to the public. 

The data leak, which occurred over a three-month period from June to September 2020, made headlines when a security researcher revealed that the personal information of approximately 100,000 Razer customers could have been compromised. 

Razer claims it has lost approximately $6.85 million in profit from its online website as a result of the data breach. With this, Razer is suing for unquantified monetary damages for profit losses resulting from the rejection of its digital bank license application.

Mr. Argel Cabalag, a Capgemini employee, caused the cybersecurity breach when an issue arose in Razer’s internal IT system, according to Razer.

Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers

Organisations must ensure that security arrangements are in place for them not to have a problem in the future.

Razer employing an IT vendor

Capgemini recommended Razer the ELK Stack platform. It collects and analyses vast quantities of data from numerous sources, storing it in a centralised data repository. Capgemini is a “reliable and respected partner” for IT solutions, according to Razer. With Capgemini’s assistance in setting up and configuring the system, Razer agreed to use the ELK Stack in its IT system at Capgemini’s proposal.

Additionally, Razer hired Mr. Argel Cabalag to be stationed at its headquarters and serve as a subject matter expert.

On June 17 and 18, 2020, Mr. Cabalag examined a problem with Razer’s ELK Stack. Employees of Razer were unable to log in and resolve the issue on their own. Mr. Cabalag was the only one to troubleshoot the ELK Stack and rectified the issue within a day.

He was also the sole person with the skills and expertise to access and modify a configuration file on Razer’s server, and he reported to the Razer staff shortly after the 16-minute window that everything was alright.

A vendor can be liable under the PDPA in case of protection obligation breach if it is a data intermediary of its organization.

Security Misconfiguration discovered

Upon discovering the security breach, a bug bounty hunter or a white hat hacker found the data leak due to a security misconfiguration. This was caused by the ELK Stack’s security settings being manually disabled. 

This now became the reason why a data leak occurred and made the ELK Stack vulnerable to cyberattacks and breaches, which could have resulted in further damage from public backlash and PDPA penalties that could range up to S$1,000,000.

Similar to the bug bounty that found the data leak, Privacy Ninja has also performed numerous pentests on its clients’ networks and infrastructure and can conclude that it’s common to find security misconfigurations to lead to security lapses. 

This doesn’t mean that the IT personnel or vendors of the clients hate Privacy Ninja when we discover vulnerabilities, but in another way, they learn from our reports and, moving forward, can better configure and harden other clients’ systems.

Data Protection Management: Liability of the vendor under the PDPA

A vendor can be liable under the PDPA in case of protection obligation breach if it is a data intermediary of its organization. 

The PDPA defines a “data intermediary” as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;”

The PDPA non-exhaustively defines “processing” as the carrying out of any operation or set of operations in relation to personal data, and includes any of the following:

(a) recording;

(b) holding;

(c) organisation, adaptation or alteration;

(d) retrieval;

(e) combination;

(f) transmission; 

(g) erasure or destruction;”

In engaging a vendor, to make sure that security misconfiguration does not happen in the future, a good practice is to set out guidelines on how the vendor operates in the organisation’s systems. This way, whenever changes are made that could harm the organisation, it can be reviewed by it to assess if security arrangements are met.

Also Read: The Singapore financial services and markets bill: Everything you need to know

Privacy Ninja

Recent Posts

Role of Enhanced Access Controls in Safeguarding Personal Data in Telecommunications

Role of Enhanced Access Controls in Safeguarding Personal Data in Telecommunications that every Organisation in…

4 days ago

Role of Effective Incident Response Procedures in Strengthening Data Security

Effective Incident Response Procedures in Strengthening Data Security that every Organisation in Singapore should know…

5 days ago

Strengthening Your Cyber Defenses: The Crucial Role of Regular Vulnerability Scanning

Crucial Role of Regular Vulnerability Scanning that every Organisation in Singapore should know. Strengthening Your…

6 days ago

Enhancing Data Security with Multi-Factor Authentication

Enhancing Data Security with Multi-Factor Authentication that every Organisation in Singapore should know. Enhancing Data…

2 weeks ago

A Strong Password Policy: Your Organization’s First Line of Defense Against Data Breaches

Strong Password Policy as a first line of defense against data breaches for Organisations in…

2 weeks ago

Enhancing Website Security: The Importance of Efficient Access Controls

Importance of Efficient Access Controls that every Organisation in Singapore should take note of. Enhancing…

3 weeks ago