The watchdog said on Tuesday that MBS had admitted to breaching the Protection Obligation under the Personal Data Protection Act (PDPA) when it failed to take reasonable security measures during a large-scale software migration exercise in March 2023.
The exercise involved migrating old software to new software. This included all applications that are accessible via the Application Programming Interfaces (APIs) and their respective identifiers, which had to be migrated accordingly.
According to an advisory published by the Cyber Security Agency of Singapore (CSA) in October 2022, an API facilitates service communications between two or more apps and perform a vital role as they provide flexibility by simplifying software design, administration and use.
However, they are also the most commonly exposed component of a system and thus have to be secured against attacks.
"It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights," said PDPC.
"In this case, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data."
Such data leaks can be further exploited in phishing scams or identity theft, it added.
Despite the "clear risks" involved in such a migration exercise, PDPC noted that MBS relied on a single employee to manually compile a list of API configurations into the new software and did not implement second-layer checks.
As a result, MBS failed to discover and correct the omission for six months, leaving the personal data of its customers unprotected.
"MBS' failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation," said PDPC.
"As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons' personal data."
Continue reading...
The exercise involved migrating old software to new software. This included all applications that are accessible via the Application Programming Interfaces (APIs) and their respective identifiers, which had to be migrated accordingly.
According to an advisory published by the Cyber Security Agency of Singapore (CSA) in October 2022, an API facilitates service communications between two or more apps and perform a vital role as they provide flexibility by simplifying software design, administration and use.
However, they are also the most commonly exposed component of a system and thus have to be secured against attacks.
"It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights," said PDPC.
"In this case, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data."
Such data leaks can be further exploited in phishing scams or identity theft, it added.
Despite the "clear risks" involved in such a migration exercise, PDPC noted that MBS relied on a single employee to manually compile a list of API configurations into the new software and did not implement second-layer checks.
As a result, MBS failed to discover and correct the omission for six months, leaving the personal data of its customers unprotected.
"MBS' failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation," said PDPC.
"As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons' personal data."
Continue reading...