On MyRepublic and protecting customer information
The Personal Data Protection Commission (PDPC) has recently published this month’s decision. For September, only one case has been issued covering the financial penalty given to MyRepublic. Their PDPA violation? Failure to protect the personal data of their customers.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at this month’s only case with the latest cybersecurity updates to date and answer the question as to why protecting customer information matters.
September 15: The financial penalty imposed on MyRepublic
Our lone case this month involves MyRepublic. On 29 August 2021, the PDPC was informed that MyRepublic had been the subject of a cyber incident. According to the organisation, the bad actor had exfiltrated and deleted the personal data of its customers from its IT systems.
MyRepublic is a local telco provider that accepts customer orders for mobile services through its Mobile Order Portal. With this portal, the customers would submit their customer identity verification and number portability documents, which are also known as “KYC documents”.
The portal would store these KYC documents in the cloud obtained from Amazon Web Services (AWS) and will only be accessible through an access key. However, MyRepublic was made aware that a bad actor had accessed these KYC documents without any idea how the bad actor got hold of the access key.
The organisation determined that the bad actor had likely obtained the access key through the portal’s functionality which displayed technical information and disclosed the access key in the portal’s source code repository.
The incident resulted in the access and exfiltration of the personal data of the organisation’s 79,388 customers. For breaching the Protection Obligation under the PDPA, the Commission ordered MyRepublic to pay a whopping S$60,000 financial penalty.
What can we get from this case?
This incident highlights the importance of removing configuration files that may be present in a Portal, as this may expose the access keys that bad actors must not get hold of.
Furthermore, for better security, organisations must only access the KYL Documents stored in the cloud using specific IP addresses through a block-all-with-exception policy.
Lastly, notwithstanding that the data was hosted on a vendor’s cloud service, it is the duty of the organisation to implement reasonable security arrangements to prevent the risk of unauthorised disclosure of Customer Data. This is true when the organisation retains control over such data.
Why protecting customer information matters
Given this case, it is necessary for organizations to practice due diligence in protecting customer information or else face a whopping financial penalty of up to S$1,000,000. But this is not all of it.
Whenever there is a failure of the organisation to protect customer information, or there has been a leak of personal data that the organisation is handling, this could result in the loss of trust from the loyal customers and potential future clients. Furthermore, this could also mean besmirching the brand trust that took years to build.
With this, we can conclude that when an organisation is not careful enough in handling personal data, this could possibly mean the end of the organisation. This is why protecting customer information matters, as a lot could be lost from the organization if it is not careful in handling it.