SINGAPORE: The Consumers ‘ Association of Singapore ( CASE ) said on Friday ( Aug 30 ) it is , committed to safeguarding consumers ‘ data, after it was  , fined S$ 20, 000 ( US$ 15, 350 ) by the Personal Data Protection Commission ( PDPC ).
The personal information of over 12, 000 people and more than 22, 000 e-mail names were , potentially compromised in two distinct data breach incidents involving CASE.
In a judgement published by PDPC , on Wednesday,  , Singapore’s privacy watchdog said CASE breached its obligations under , the Personal Data Protection Act ( PDPA ) to protect personal data in its possession.
Additionally, it failed to create and implement the policies and practices that are necessary to fulfill its PDPA responsibility.
The buyer guardian acknowledged the vulnerabilities and accepted , the S$ 20, 000 good, adding it , is” committed to safeguarding customers ‘ data”.
CASE added that it has adhered to PDPC’s instructions to revise its security measures and address surveillance gaps.
We may constantly review our procedures and methods to stop such incidents from occurring again.
How HAPPENED ,
Unknown phishing emails were sent to a number of State customers in the first incident on October 8 and 9 in 2022 from two official consumer watchdog email addresses.
They were informed that their grievances had been escalated to the” series and payment office” and that they were qualified for payment.  ,
The afflicted consumers were instructed to press a chat icon  to enter their banking information to finish the transaction.
The letters came from a user account that handles customer grievances on CASE’s site.
Similar letters were sent using a contact form created to communicate with customers whose complaints were brought to counseling.  ,
CASE notified , PDPC there had been a files violation incident involving a menace professional on Oct 11, 2022. Concern actor is a person or organization who purposefully harms online products or systems.
In January and February 2023, CASE received complaints about more phishing emails that had been sent from addresses that were n’t in its domain.
The damaged customers ‘ letters were “likely harvested” by the threat professional during the course of the second incident, PDPC said.
A full of 5, 205 phishing messages were sent to 4, 945 consumers, with the private guardian noting that up to 22, 542 names were exposed to “harvesting” by the danger professional.
Three affected customers informed CASE they had , interacted with the hacking letters, reportedly resulting in economic losses of , S$ 217, 000 in full. Since then, a police record has been released.
The risk actor had safely logged into the affected accounts  with the appropriate login credentials, according to CASE, which hired a personal forensic expert to determine the cause and degree of the first incident.
Additionally, it discovered that the appropriate registration information was obtained from a powerful hacking attempt on a CASE employee.
Moreover, some of CASE’s laptops were “running on end-of-life operating systems, and had vulnerable technology with unapplied upgrades or safety patches”, which put it at risk of distant code execution risk, according to the view.  ,
SECOND INCIDENT
As the investigation into the first affair was advancing, PDPC received a problem from a State consumer in June 2023.
A qualified phishing email was sent to the complainant from an email address that did not originate from CASE’s domain.
CASE was afterwards informed of more instances of this kind, with 28 people telling the agency they had been phishing letters.
A “definitive summary” regarding the second incident’s data breach could not be reached by PDPC investigations.
However, the committee concluded that it “likely occurred” during a files movement training conducted by CASE somewhere between Dec 24, 2019, and Jan 1, 2020 as it switched IT suppliers.
Approximately 12, 218 people who participated in the data migration exercise were put at risk of illegal access and, according to PDPC.
exfiltration.
The information included email addresses, phone numbers, names and details of grievances made.
In the second incident, the affected consumers received no financial losses.