On October 31, 2020, Eatigo reported a data breach of customer data and that the data had been put up for sale on a popular forum.
The Personal Data Protection Commission investigated and found that:
the personal data for sale on the online forum did not match any current databases in use by the Organisation at the time of the Incident, but matched the structure of a legacy database which contained user data as of late 2018, when the database was last updated (the “Affected Database”). The Affected Database was hosted on the infrastructure of a Cloud Service Provider located in Singapore, and was previously in use by the Organisation until 2018. Thereafter, the Organisation migrated to its current online platform, which entailed a complete redevelopment of data storage and infrastructure. Whilst the Organisation did not intend to continue to utilise the personal data contained in the Affected Database, it was nevertheless retained to support the migration of data to the new platform. After the migration, the Affected Database was not included in the Organisation’s Virtual Private Network (“VPN”) infrastructure. Unfortunately, as the Organisation transitioned to the current engineering team, knowledge of the Affected Database was lost.
Additional findings can be found in the PDPC’s report on the incident and findings, including:
The Affected Database contained personal data relating to approximately 2.76 million individuals, encompassing personal data such as passwords, access IDs and Facebook tokens. Given the high volume of personal data contained in the Affected Database, it was incumbent on the Organisation to implement policies and practices to meet such security needs to discharge its obligation under the Protection Obligation.
The commission issued a financial penalty of $62,400 as part of its response to the incident. The report notes that the organization’s noncooperative responses to the commission’s inquiries were aggravating factors.