Singapore's Personal Data Protection Commission Fines RedDoorz
Reading Time: 2 minutes

Singapore’s Personal Data Protection Commission fined RedDoorz SG$74,000 ($54,456) for exposing nearly 5.9 million customers’ data – the largest data breach handled by the Commission since its inception.

According to PDPC the penalty “failing to put in place reasonable security arrangements to prevent the unauthorized access and exfiltration of customers’ personal data hosted in a cloud database.”

RedDoorz started business in Indonesia before moving operations to Singapore. The company managed budget hotel bookings in select Southeast Asian cities. Users can book budget hotels from RedDoorz based on photos, area, and price, not always knowing the actual name or location of the hotel. RedDoorz offers a rebranded hotel room experience to the travelers when they arrive with certain guaranteed services like WiFi, TV, and potable water.

An Atlanta-based cybersecurity firm informed Commeasure about the RedDoorz customer’s data breach in September 2020 and also offered remedial services. After which within a week the travel tech company informed the PDPC.

The hackers managed to steal personal data belonging to its customers included customers’ names, contact numbers, email addresses, birthdays, encrypted RedDoorz account passwords, and booking information, and put it on sale on a hacker forum. Though the PDPC’s ruling, [PDF] the database did not include credit card numbers.

During the early days of RedDoorz, an AWS access key was embedded into an Android application package (APK) publicly available for download from the Google Play Store. An APK created in 2015, which was last updated in January 2018 was wrongly used as a “test” key by developers at the time. This remained visible in spite of being considered as “defunct” until the company was notified of the breach in 2020.

Bad actors were able to gain access to the AWS access key in hand and exploit it to collect customer records hosted in an Amazon RDS cloud database. Later RedDoorz did hire cybersecurity companies in an attempt to protect the data and used the Java obfuscation tool Proguard to prevent APK reverse engineering. All their efforts were in vain as the relevant file was never evaluated.

While talking to TheRegister, RedDoorz Founder and CEO, Amit Samberwal said, “We immediately conducted internal reviews and subsequently engaged external cybersecurity firms to enhance security measures. At the time, we had also informed all our users, public media, and respective authorities of the breach. PDPC in Singapore recently concluded the investigation after over a year and a half, and deemed the case closed with the $74K fine imposed.”

PDPC was not satisfied with Commeasure’s explanation that the failure to implement sufficiently robust processes to manage its inventory of infrastructure access keys was due to high employee turnover. However, it did consider the company’s cooperative behavior, remedial actions, ineffective yet regular security reviews, and the unfortunate circumstances of being a hospitality business in the middle of a pandemic, as it decided on the financial penalty. The company has to pay the fine in 30 days before the interest kicks in.

Related Articles:

New U.S. Government Initiative Will Hold Contractors Accountable for Cybersecurity
SOVA – New Android Banking Trojan Keeps Getting Powerful
Atlassian Confluence Service Flaw Used to Breach Jenkins Project Server