What Business Owners Can Learn From the OrangeTee & Tie Breach

Breach News

Who was fined, and why?

Singaporean real estate firm OrangeTee & Tie was imposed a penalty of S$37,000 (~ US$27777.49) by the Personal Data Protection Commission (PDPC) following a data breach that transpired in the year 2021, leading to the exposure of personal details of over 250,000 customers, employees, and agents.

What happened?

In August 2021, hacking group Altdos successfully infiltrated the outdated database servers of OrangeTee & Tie. The illicit activity resulted in the extraction of sensitive personal data such as account numbers, NRIC, and passport numbers, along with property transaction and commission amounts. 

The group then proceeded to demand a ransom of 10 bitcoins from the company in exchange for the non-disclosure and protection of the compromised databases. 

Furthermore, Altdos asserted that it had been able to gain unauthorized access to OrangeTee & Tie’s network since June of the same year, and had illegitimately procured “hundreds of databases” as a result of its activities.

How many people were affected?

In total, 256,583 people were affected by the data breach, mostly OrangeTee & Tie’s customers.

Why did it happen?

OrangeTee & Tie utilized “live” production data containing personal information during development and testing without implementing sufficiently robust processes to safeguard the data. 

Furthermore, the property firm failed to undertake periodic security reviews of their servers, which is standard practice for identifying vulnerabilities resulting from outdated software. This led to the exposure of personal data to security risks, as two database servers were connected to Internet-facing Web servers. 

The firm neglected to recognize the consequences of using outdated software and failed to take the necessary measures to secure its Internet-facing servers. The company has since acknowledged that its information-technology security policy did not account for the need for such security reviews.

What did they do right?

The company received commendation for demonstrating swift remedial measures and exhibiting a high degree of cooperation throughout the investigation. Additionally, the Personal Data Protection Commission (PDPC) recognized the company’s voluntary admission of breaching the Protection Obligation, relating to the failure to safeguard personal data in its custody. 

It is noteworthy that the data in question was deemed “publicly available” according to the Personal Data Protection Act 2012 (Singapore), as it could be accessed by any member of the public.

Post-breach, an OrangeTee & Tie spokesman said the company had ramped up its network and data security and heightened its defense against future attacks.

“We are confident of our reinforced security measures, and will work hard to maintain our clients’ trust in our IT network.”

What steps could have been taken?

The recent breach at the firm highlights the importance of implementing effective security protocols and policies to safeguard sensitive data. A robust security strategy involves a combination of technical solutions, employee training, and regular security reviews to ensure that vulnerabilities are identified and addressed promptly.

Here are several recommended practices:

  • use fake or anonymized data in development and testing environments instead of real, live production data.
  • conduct periodic security reviews to identify any security flaws or potential vulnerabilities
  • keeping software up-to-date with the latest patches and updates
  • integrate security into the development lifecycle has become essential to detect and fix vulnerabilities at the source
  • implement a DevSecOps pipeline that fosters collaboration between development and security teams

By following these best practices, businesses can take proactive steps to protect their valuable data and prevent costly data breaches.

DevSecOps Pipeline

The post What Business Owners Can Learn From the OrangeTee & Tie Breach appeared first on GuardRails.

*** This is a Security Bloggers Network syndicated blog from GuardRails authored by GuardRails. Read the original post at: