Privacy Ninja

Why protecting customer information matters: The case of MyRepublic

protecting customer information
Organizations must practice due diligence in protecting customer information or face a potential financial penalty of up to S$1,000,000.

On MyRepublic and protecting customer information

The Personal Data Protection Commission (PDPC) has recently published this month’s decision. For September, only one case has been issued covering the financial penalty given to MyRepublic. Their PDPA violation? Failure to protect the personal data of their customers.

It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with administration and enforcement.

In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.

Let’s have a look at this month’s only case with the latest cybersecurity updates to date and answer the question as to why protecting customer information matters.

Whenever there is a failure of the organisation to protect customer information, or there has been a leak of personal data that the organisation is handling, there is a risk of losing the trust of the loyal customers and potential future clients.

September 15: The financial penalty imposed on MyRepublic

Our lone case this month involves MyRepublic. On 29 August 2021, the PDPC was informed that MyRepublic had been the subject of a cyber incident. According to the organisation, the bad actor had exfiltrated and deleted the personal data of its customers from its IT systems.

MyRepublic is a local telco provider that accepts customer orders for mobile services through its Mobile Order Portal. With this portal, the customers would submit their customer identity verification and number portability documents, which are also known as “KYC documents”.

The portal would store these KYC documents in the cloud obtained from Amazon Web Services (AWS) and will only be accessible through an access key. However, MyRepublic was made aware that a bad actor had accessed these KYC documents without any idea how the bad actor got hold of the access key.

The organisation determined that the bad actor had likely obtained the access key through the portal’s functionality which displayed technical information and disclosed the access key in the portal’s source code repository.

The incident resulted in the access and exfiltration of the personal data of the organisation’s 79,388 customers. For breaching the Protection Obligation under the PDPA, the Commission ordered MyRepublic to pay a whopping S$60,000 financial penalty.

How is your organisation’s cybersecurity posture? Be sure you have sufficient tools, people, and processes to protect your organisation’s “oil” — customer information in your possession.

What can we get from this case?

This incident highlights the importance of removing configuration files that may be present in a Portal, as this may expose the access keys that bad actors must not get hold of.

Furthermore, for better security, organisations must only access the KYL Documents stored in the cloud using specific IP addresses through a block-all-with-exception policy.

Lastly, notwithstanding that the data was hosted on a vendor’s cloud service, it is the duty of the organisation to implement reasonable security arrangements to prevent the risk of unauthorised disclosure of Customer Data. This is true when the organisation retains control over such data.

Your data protection officer works with you to make sure that when it comes to third-party service providers, your contract covers the full security measures that both parties must take to protect the personal data in your management.

Why protecting customer information matters

Given this case, it is necessary for organizations to practice due diligence in protecting customer information or else face a whopping financial penalty of up to S$1,000,000. But this is not all of it.

Whenever there is a failure of the organisation to protect customer information, or there has been a leak of personal data that the organisation is handling, this could result in the loss of trust from the loyal customers and potential future clients. Furthermore, this could also mean besmirching the brand trust that took years to build.

With this, we can conclude that when an organisation is not careful enough in handling personal data, this could possibly mean the end of the organisation. This is why protecting customer information matters, as a lot could be lost from the organization if it is not careful in handling it.

Also Read: Vulnerability assessment Singapore: The complete checklist

Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.

Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× Chat with us