Software Firm Fined $60,000 for Major Student Data Breach
A local software development company, Learnaholic, received a significant fine for a 2016 security failure that exposed the personal information of nearly 48,000 students, parents, and staff from a junior college.
How the Breach Occurred
According to the Personal Data Protection Commission (PDPC), the breach was a direct result of critical security lapses. The company had taken down a protective firewall to fix an issue but failed to reactivate it.
Additionally, a password-protection measure was removed during the maintenance. This allowed hackers to access a file with an employee's email credentials, which they used to infiltrate the system and steal unencrypted personal data, including names, NRIC numbers, and even medical information for about 370 students.
"Any of the individual lapses on their own would have been a cause for concern; combined together, the lapses created the perfect opportunity for any opportunistic hacker armed with basic hacking tools to strike."
Other Companies Penalized
Besides Learnaholic, the privacy watchdog also fined four other firms for various data protection failures:
- The Travel Corporation - Fined $12,000
For not appointing a data protection officer and failing to protect customer data on a misplaced portable hard disk.
- Honestbee - Fined $8,000
For storing the data of about 8,000 individuals without secure access restrictions.
- Chizzle - Fined $8,000
For not having reasonable security arrangements to protect user data on its mobile application.
- i-vic International - Fined $6,000
For not using secure software, which led to the disclosure of personal data via e-mail.
The fine against Learnaholic was the highest issued by the PDPC since the landmark $1 million penalty against SingHealth. The incidents highlighted a trend of increasing enforcement, with over $1.29 million in fines issued in the first nine months of 2019 alone.
