The Personal Data Protection Commission (PDPC) in Singapore has fined PPLingo Pte, the provider of the online learning platform LingoAce, after a data breach affecting over 550,000 students and parents. This breach was caused by an administrator setting the password as “lingoace123,” a common service followed by the number 123.
The hacked system was the operations support system (OPS) server used to manage classes and schedules, installed since 2020 without changing the password. On April 26, 2022, hackers attempted to breach the system, successfully accessing it within a day.
The company became aware of the breach when hackers accessed another employee’s email, but no additional demands were made. Similar incidents have occurred in Singapore before, such as the case of Re Chizzle Pte Ltd in 2020, where using the company name in a password was deemed unsafe by the PDPC.
The company has taken significant measures, including implementing two-factor authentication for OPS and email logins. Despite requesting a fine not exceeding SGD 35,000, the PDPC has determined the damage to be severe, resulting in a fine of SGD 74,000, or over 2 million baht.
TLDR: PDPC fines PPLingo Pte for a data breach affecting over 550,000 individuals due to a weak password, emphasizing the importance of strong cybersecurity measures.
Leave a Comment