On May 23, Singaporean authorities fined an educational software company $74,000 for a weak password that enabled the breach of its customers’ data. More than 500,000 people, including 300,000 children, saw sensitive personal data, including cellphone numbers, national ID numbers, and bank account numbers, fall into the hands of a hacker in 2022.
Singapore’s Personal Data Protection Commission (PDPC) issued the fine to PPLingo, a company that teaches Chinese and English to students aged 4 to 15 on its educational platform called LingoAce.
The PDPC said on its website that the financial penalty was imposed for “(i) failing to put in place reasonable security arrangements to protect individuals’ personal data in its possession or under its control; and (ii) not appointing any individual to ensure its compliance with PDPA.”
The PDPC said in its enforcement decision that the password for the LingoAce admin account was “lingoace123,” which didn’t meet industry best practices and could be easily guessed by a threat actor. Nonetheless, the hacker involved used brute force attacks to gain access to the LingoAce admin account, which also didn’t use two-factor authentication, another serious vulnerability.
Soon after the breach, the threat actor reported his actions to PPLingo, which then reported the incident to PDPC. The threat actor did not make any demands of PPLingo, and it’s unknown if they made the stolen data available on the dark web.
Before the PDPC released its judgment, PPLingo attempted to get the $74,000 fine reduced, saying that the firm had voluntarily reported the breach and had implemented cybersecurity improvements, such as hiring a data protection officer. It also said that it had informed authorities in 40 other countries where it has students and could be fined multiple times for the same infraction.
The PDPC rejected the request, saying that PPLingo is responsible for all personal data in its possession, regardless of where the owners of the data live.