SINGAPORE – Luxury retailer Cortina Watch has been asked to engage the services of a third-party cyber-security vendor for an audit, after a data breach in 2023 saw the information of almost 4,000 individuals stolen and uploaded on the dark web.
The Personal Data Protection Commission (PDPC) said in a judgment published on May 23 that the retailer will not be fined, after taking into account the impact of the breach, prompt actions, and its cooperation during investigations.
A total of 3,953 people were affected, and the information stolen included details such as their full names and contact numbers.
Some others had their bank account numbers stolen.
The commission said it was notified of the breach by Cortina Watch on June 5, 2023, when it reported a ransomware attack on its server.
Investigations showed that the retailer had been the target of multiple cyber attacks between April 30 and June 4 in 2023, and on May 27, 2023, a hacker was able to compromise an account that Cortina Watch was using to test virtual private network (VPN) access.
He managed to steal 5.82GB of data, and had made use of the LockBit 3.0 ransomware to encrypt other files on the retailer’s servers before posting the information on the dark web.
The Straits Times reported on June 9, 2023, that the files included usernames and passwords for company and staff accounts, on top of customer data.
The firm’s inventory of watches, sales orders and sales tactics were also uploaded.
To rectify the situation, Cortina Watch took all its servers offline between June 4 and June 9, 2023, on top of implementing various cyber-security measures.
This included making use of encryption to secure its data – something it had not done previously.
The judgment said the company admitted that it failed to adopt reasonable access controls to its network through its test VPN accounts.
Such controls, including the use of complex usernames or multi-factor authentication for access, were not adhered to.
The firm admitted to not enforcing a strong password policy. Its only requirement was that passwords must have a minimum length of eight characters.
“Ultimately, it is an organisation’s responsibility to put reasonable security arrangements in place to protect the personal data in its possession or control…” said the PDPC, adding that the implementation should reflect the volume and sensitivity of the data handled, among other considerations.
This post was originally published on the 3rd party site mentioned in the title of this this site