|Date of enforcement action:|
|Singapore||SGD 15,000 (US$11,000)|
|Defendant company or entity:||Industry segment:|
|Creative Technology Ltd||Technology /|
A financial penalty of $15,000 was imposed on Creative for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of users of its online support forum.
The Organisation first set up the Forum some time in 2004 to help users share ideas and information relating to the Organisation’s products.In 2011, the Organisation adopted a third-party forum software known as “vBulletin” to operate andhost the forum internally. Unknown to the Organisation, the vBulletin software had a SQL vulnerability which could allow hackers to extract information hosted on the platform using SQL injection techniques. The developers of the vBulletin software released patches to address this SQL vulnerability in 2016. However, the Organisation had not installed these patches at the time of the Incident.
On 25 May 2018, an unknown hacker used SQL injection techniques to obtain personal data of Forum users from the Forum’s database. In particular, the hacker exploited the vulnerability in the vBulletin software to launch SQL injection attacks by using the “Forumrunner” add-on.
The Organisation first came to know of the Incident on 4 June 2018, when it was notified by a security researcher that he had received a set of user data extracted from the Forum. The Organisation subsequently found that 484,512 users’ account information had been accessed and extracted in the Incident. Of these, only 173,763 appeared to be legitimate email addresses with the remainder, in the Organisation’s view, being “disposable” or otherwise not legitimate email addresses. Further, of the accounts with legitimate email addresses, the Organisation found that there were 8,258 active users who had accessed or posted on the forum between 2014 and 2018 and, amongst these Active Users, approximately 2,600 had email addresses which contained either the names or partial names of individuals.
The Organisation had failed to put in place reasonable security arrangements to protect the Personal Data for the following reasons. First, the Organisation had not patched orupdated its version of vBulletin since 2 May 2015, three years prior to the Incident. This was a significant factor leading to the Incident. As stated in the Commission’s Guide to Securing Personal Data in Electronic Medium, regular security patching is important for organisations to keep their systems and databases current and minimise their vulnerabilities. Secondly, the use of the MD5 algorithm is no longer sufficiently secure for password hashing, as compared with other available algorithms. Passwords hashed with MD5 are susceptible to some forms of attacks and, if they are compromised, this could lead to the disclosure of other personal data. Individuals may face additional risks if they had used the same email address and passwords for other online accounts. In this regard, the developers of vBulletin no longer used MD5 hashed password by default, opting for the more secure bcrypt, since the March 2014 version of vBulletin. This reinforces the point that if the Organisation had implemented the updates, the users’ hashed passwords would be more secure.
In the circumstances, the Commissioner found the Organisation in breach of section 24 of the PDPA.
(Personal Data Protection Commission Singapore)
|Enforcement authority:||Type of enforcement action:|
|Personal Data Protection Commission||Penalty notice|
|Subject to appeal?|
Cite this fine in your work
Data Privacy Fines Index. (2020-01-02 06:27) Creative Technology Ltd fined SGD 15,000. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/creative-technology-ltd-fined-sgd-15000/
Entry last updated: 2020-01-16 09:38 GMT.