November 15, 2021

RedDoorz hit by Singapore's largest data breach, 5.9M users' data stolen, victim fined

The RedDoorz' cyber incident, occurred in September 2020, became the biggest data breach since Singapore's Personal Data Protection Act came into force.

RedDoorz is a Singapore-based hotel company and hospitality brand which maintains 1,500 properties over 100 cities across Singapore, Indonesia, Vietnam, and the Philippines.

At the end of September 2020, a hotel chain discovered that it suffered a data breach after an unauthorized person accessed its database containing 5.8 million user records. The following customer records were exposed:

A RedDoorz member's email,

Bcrypt hashed passwords,

Full name,

Gender,

Link to profile photo,

Phone number and secondary phone number,

Date of birth,

Occupation.

On Nov. 15, media reported that the Personal Data Protection Commission (PDPC) has fined local firm Commeasure, which operates the RedDoorz website, $74,000. This is much lower than usual fine because the Commission took into account that the hotel chain suffered losses due to Covid-19.

On Nov. 11, the PDPC spokesperson commented on the judgment.

In deciding the amount of financial penalty to be imposed, we also considered that the organisation, which operates in the hospitality industry, had been severely impacted by the Covid-19 pandemic. This is the largest data breach that has occurred since the Personal Data Protection Act came into effect.

Recently, the Dutch Data Protection Authority has fined the low-cost airline company Transavia by €400,000 for poor personal data security after a massive data breach. Personal data of 25 million of airline's passengers was exposed.