IES users’ data leaked due to ‘inadequate’ security measures: PDPC

SINGAPORE — The Institution of Engineers, Singapore (IES) could have “easily detected” and patched security flaws on its website, which had resulted in more than 6,000 users’ personal data being comprised in a data leak in October 2014, said the Personal Data Protection Commission (PDPC) in findings on the incident that it released publicly on Tuesday (Oct 25).

While its website had a firewall and anti-virus software, these measures alone were “clearly inadequate to reasonably ensure the security of personal data” stored on it, the PDPC added.

Among the “apparent vulnerabilities” identified were the absence of encrypted storage for members’ passwords, and the lack of audit and tests conducted on the site, it noted.

IES, which was among the first batch of personal data offenders taken to task since the Personal Data Protection Act came into force in July 2014, was fined S$10,000 in April and directed to scan for and patch vulnerabilities on its website, and update the PDPC after it had done so.

During its investigations into the leak, the PDPC found no indication that IES — whose members comprise individuals and organisations — had instructed its vendors to make security arrangements to ensure that personal data stored on its site would be protected in compliance with its obligations under the Act.

A scan report conducted after the leak identified 48 “high severity vulnerabilities”, some of which could have been easily detected and patched with “readily available” online guides, said the PDPC.

The PDPC disagreed with IES’ views that it was “unlikely” that people who had obtained and posted the personal data — including members’ user IDs and passwords — would have logged into these members’ accounts as the information leaked was “random, unrelated and unlinked”.

“With automatic scripting, an individual can log in to any IES members’ account notwithstanding the manner in which the user IDs and passwords had been presented ... Indeed, the Commission cannot exclude the possibility that the person or persons who had obtained and posted the (information) may have already done so,” said the PDPC.