Undertaking by Quadrant Global Pte Ltd

Background

Quadrant Global Pte. Ltd. (“QGPL”) notified the Personal Data Protection Commission (the “Commission”) on 14 May 2024 of a personal data breach involving individuals using its Geolancer mobile application (the “Geolancers”). The personal data of the Geolancers had been exfiltrated by a threat actor and published for sale on the dark web. (the “Incident”).

Investigations revealed that that the threat actor (“TA”) had likely exploited an out-of-date Jenkins application vulnerable to CVE-2024-23897 (“Vulnerability”) to access the internet facing Elastic Compute Cloud (“EC2”) server. Subsequently, the TA obtained the Access Key ID of a privileged user, system_sa. With the Access Key, the TA managed to access an AWS S3 Bucket and exfiltrated a comma-separated values file containing the personal data of the Geolancers. 

The TA exfiltrated the personal data of approximately 75,087 individuals who are worldwide users of the Geolancer mobile application. The types of personal data affected included but not limited to the user ids, telephone numbers, email addresses, city locations and cryptocurrency addresses.

Upon discovery of the Incident, QG

PL took prompt remedial actions including engaging a forensic vendor to assist with determining the root cause of the Incident and notified the affected individuals. The impacted EC2 server was promptly isolated and secured by patching all known vulnerabilities and all AWS Access Keys were rotated.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 18 October 2024.

As part of the Undertaking, QGPL will be implementing the following:

(a) Undertaking a comprehensive review of its Vulnerability Management standard and associated remediation practices, to ensure that it adheres to defined SLAs for prompt and effective remediation of any vulnerabilities in the future;

(b) Implemented Key Rotation Policy; and

(c) Conducting a review exercise to ensure all the remedial measures were effective to deter similar incidents.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.