P2023-ND-005

On January 15, 2022, the Organization completed a system migration. As a result of this migration, a misconfiguration was introduced in an external-facing application programming interface (API). As a result of the migration, a filter was inadvertently omitted and the API fetched additional details. On September 15, 2022, the misconfiguration was discovered and fixed. On October 13, 2022, the Singapore Data Protection Commission (PDPC) and Computer Emergency Response Team of the Cybersecurity Agency of Singapore (SingCERT) notified the Organization of an individual claiming to be selling personal data of the Organization?s customers on a forum. The Organization was able to confirm a threat actor was able to exploit that vulnerability during a 6-day period from May 7 to May 13, 2022, and again on June 25, 2022.

File Type: pdf
File Size: 617 KB
Categories: 2023