Background

Tech In Asia Pte. Ltd. (“TIA”) notified the Personal Data Protection Commission (the “Commission”) on 7 June 2024 of a personal data breach involving its Indonesian subsidiary, PT Teknologi Indonesia Asia (“TIA Indonesia”). The personal data of the users to TIA Indonesia’s website had been exfiltrated by a threat actor and published for sale on the dark web (the “Incident”).

Investigations revealed that that the threat actor (“TA”) had exploited a legacy public-facing API endpoint that lacked the logic and ability to verify authorization token permissions, which allowed the TA to incrementally scrape user ID (a sequential number) and email address from the API endpoint.

The TA exfiltrated the personal data of approximately 220,000 individuals who were the registered users of the TIA Indonesia’s website. The types of personal data affected include the user ID, email address, full name, display name and registration date. The international website managed by TIA directly was not affected in the Incident.

Upon discovery of the Incident, TIA took prompt remedial actions. This included immediately patching the affected API endpoint to prevent any further data leaks and conducting a comprehensive inventory and review of all existing API endpoints, in particular, user profile-related endpoints to ensure that there were no other vulnerabilities.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (the “PDPA”). The Undertaking was executed on 22 August 2024.

As part of the Undertaking, TIA will be implementing the following:

(a) Initiate rate limiting and alert systems for API requests;

(b) Introduce an API Gateway for centralized API management;

(c) Enhance the development code review and QA processes; and

(d) Implement 2FA or multifactor authentication.

The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.