Champion Tutor Inc. is a tuition agency with more than 10 years of experience in matching students with tutors in Singapore through its online marketplace website. It was fined SGD 10,000 for breach of its personal data protection obligations. This is its second fine in two years over its breach of its personal data protection obligations.
On 24 February 2021, the Personal Data Protection Commission (“the Commission”) was informed that personal data information found on Champion Tutor Inc.’s database was sold on the dark web.
The cause of the incident was likely a SQL injection (SQLi) of ChampionTutor’s website. ChampionTutor was already aware of this SQL vulnerability when it conducted a penetration test in December 2020, and even though ChampionTutor had instructed its developer in India to fix the vulnerability, the problem was left unfixed until the incident. .
As a result of the lapse by Champion Tutor Inc., the personal data of 4,625 students, including names, email addresses, contact numbers and addresses, were released to the dark web.
Once the breach was reported, Champion Tutor Inc. took the following remedial actions:
(i) engaging a new team of developers to fix all the SQLi vulnerabilities;
(ii) Parameterising SQL statements by disallowing data-directed context changes to prevent SQL injection attacks from resurfacing; and
(iii) reconstructing the entire website source code to reduce possible vulnerabilities.
After investigating the matter, the Commission concluded that Champion Tutor Inc. had breached the Personal Data Protection Obligation under section 24 of the Personal Data Protection Act (“PDPA”), and that the organisation failed to take active steps to repair the vulnerability even when its developer was not responsive due to the COVID-19 pandemic. Champion Tutor Inc. did not follow up with its developer to ensure the problem was fixed.
However, the Commission had invited Champion Tutor Inc. to make representations in respect of the matter. After considering all the facts and circumstances, the Commission acknowledged that Champion Tutor Inc. took prompt actions to mitigate the adverse effects of the breach. The Commission nevertheless imposed a financial penalty of $10,000 to be paid in 12 instalments.
