Why protecting customer information matters: The case of MyRepublic — Privacy Ninja
Why protecting customer information matters: The case of MyRepublic
The September 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, only one (1) case has been issued covering the financial penalty given to MyRepublic.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individual’s personal information as it is tasked with administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at this month’s only case with the latest cybersecurity updates to date and answer the question as to why protecting customer information matters.
September 15: The financial penalty imposed on MyRepublic
Our only case of PDPC Incidents and Undertaking involves MyRepublic. On 29 August 2021, the PDPC was informed that MyRepublic had been the subject of a cyber incident. According to the organisation, the bad actor had exfiltrated and deleted the customers’ personal data from its IT systems.
The organisation accepts customer orders for mobile services through its Mobile Order Portal. With this Portal, the customers would submit their customer identity verification and number portability documents, which are also known as “KYC documents”.
Such Portal would store these “KYC documents” in the cloud procured from Amazon Web Services (AWS) and will only be accessible through an Access Key. However, the organisation was made aware that a bad actor had accessed these KYC Documents without any idea how the bad actor obtained the Access key.
The organisation determined that the bad actor had likely obtained the Access Key through the Portal’s functionality which displayed technical information and disclosed the Access Key in the Portal’s source code repository.
Due to this incident, the personal data of 79,388 of the organisation’s customers was accessed and exfiltrated, and for breaching the Protection Obligation under the PDPA, the Commission ordered MyRepublic to pay a whopping S$60,000 financial penalty.
What we can get from this case
What we can get from this case is the importance of removing configuration files that may be present in a Portal, as this may expose the Access Keys that bad actors must not get a hold of.
Furthermore, for better security, organisations must only access the KYL Documents stored in the cloud using specific IP addresses through a block-all-with-exception policy.
Lastly, notwithstanding that the data was hosted on a vendor’s cloud service, it is the duty of the organisation to implement reasonable security arrangements to prevent the risk of unauthorised disclosure of the Customer Data. This is true when the organisation retains control over such data.
Why protecting customer information matters
Given in this case, it is necessary for organizations to practice due diligence in protecting customer information or else face a whopping financial penalty which ranges up to S$1,000,000. But this is not all of it.
Whenever there is a failure of the organisation to protect customer information, or there has been a leak of personal data that the organisation is handling, this could result in the loss of trust from the loyal customers and potential future clients. Furthermore, this could also mean besmirching the brand trust that took years to build.
With this, we can conclude that when an organisation is not careful enough in handling personal data, this could possibly mean the end of the organisation. This is why protecting customer information matters, as a lot could be lost from the organization if it is not careful in handling it.