Slack security measures led to leak of K Box customers’ data

SINGAPORE — One receptionist used a single-letter password to access the company system, and on one occasion, K Box Entertainment Group received more than 90,000 members’ personal data, unencrypted, via Gmail from its IT vendor, Finantech.

These findings were published on Monday (Oct 24) on Singapore Law Watch, some six months after the Personal  Data Protection Commission fined the karaoke outlet operator S$50,000 for not having adequate security measures to protect the personal data of 317,000 of its members, whose details were leaked online.

The commission also ordered K Box to appoint a data protection officer, and fined Finantech S$10,000.

The karaoke chain had no policy, or physical or online security system, to ensure its employees did not remove customers’ personal data from its premises. Employees were required to set alphanumeric passwords with eight letters or numbers, but its IT system did not ensure staff complied.

And when K Box wanted members’ personal data for marketing purposes, it informed its third-party IT vendor, who would retrieve the information from the database and send it unencrypted via Gmail.

K Box did not delete the accounts of employees who had left the company until the day after news of the data breach. And after the news broke in September 2014, the company still did not hire a data protection officer, even though it implemented a new content management system in November 2014.

The data breach could have resulted from K Box’s “admin” user account having a weak password, the commission found. Files detected as malware were found in K Box’s content management system folder, but the commission could not conclusively rule that the breach was due to someone hacking into its system.

The breach had caused the identity-card numbers, mailing addresses, contact numbers and other information of about 317,000 members to be revealed online. It was reported by The Real Singapore website on Sept 16, 2014.

K Box’s weak enforcement of its password policy and weak control of unused accounts and passwords alone could have enabled an attacker to gain access to substantial personal data simply though the content management system, the commission stated in its ruling.

The company’s use of vulnerable software could also have allowed attackers to do more damage.

K Box failed to make “reasonable security arrangements” to protect members’ data and while it had outsourced the hosting of its content management system to Finantech, it was still the data controller and ultimately responsible for its security, the commission ruled.

Under the Personal Data Protection Act, K Box could have been fined up to S$1 million, among other penalties.