The Straits Times: Software firm fined $74k for data breach caused by weak password; half a million users affected

https://www.straitstimes.com/singapore/poor-password-causes-software-firm-to-be-fined-74000-for-data-breach-affecting-half-a-million-users

Using the privileged access of the compromised admin account, the hacker accessed personal data of 557,144 users.

SINGAPORE – A company running online language lessons for children around the world used a password based on its website name, LingoAce, making it vulnerable to the data breach that resulted.

More than half a million users were affected. Among personal data compromised were the cellphone numbers, bank account numbers, signatures and Chinese nationals’ identity card numbers.

Singapore-based firm PPLingo was fined $74,000, according to a Personal Data Protection Commission (PDPC) judgment released on May 23. It runs online Chinese and English language classes for children aged four to 15.

Some time in April 2022, a hacker obtained an administrator account password of LingoAce – “lingoace123” – via brute force attacks, a method that uses trial and error to crack encryption keys.

The password had remained unchanged for more than two years before the breach.

Using the privileged access of the compromised admin account, the hacker accessed personal data of 557,144 users, among them approximately more than 300,000 minors.

In the subsequent week, the hacker informed the firm that he had accessed LingoAce’s systems and listed personal data of several users in the text to prove this.

Catch up on the news that everyone’s talking about

[Sign up](javascript:;)

By signing up, I accept SPH Media's Terms & Conditions and Privacy Policy as amended from time to time.

Yes, I would also like to receive SPH Media Group's marketing and promotions.

However, he did not follow up with any demands.

The commission found that the company had failed to put in place reasonable security arrangements to protect the personal data of its students, parents and staff.

The company was also found liable for not appointing anyone to ensure that it complied with Singapore’s data protection laws.

It appointed a data protection officer only after the data breach, more than five years after the firm was incorporated in 2016.

PDPC found that the firm’s security arrangement to protect personal data was inadequate because it did not have a password policy, apart from requiring a minimum length of eight characters.