THURSDAY, March 28, 2024
nationthailand

Travel agent under probe after personal data of clients found to be insecure

Travel agent under probe after personal data of clients found to be insecure

TRAVEL AGENCY Chan Brothers Travel is being investigated by Singapore’s privacy watchdog after the personal data of more than 500 of its customers was found to be publicly accessible.

Screenshots provided by a tip-off seen by The Straits Times showed that the website exposed data such as names, NRIC numbers, passport numbers and travel plans of Chan Brothers Travel’s customers.
The Personal Data Protection Commission (PDPC) said it has been notified of the incident and is investigating.
Responding to ST queries, a spokesman for the travel agency said that it takes full responsibility for the incident and that it was notified of the vulnerabilities on May 16.
It is currently working with its vendor, Aodigy Asia Pacific, to |ascertain the cause of the data exposure.
“Upon notification of the vulnerabilities, we immediately took action to address the matter including containing the extent of vulnerabilities, assessing the extent of impact and reporting the incident to PDPC,” the spokesman said.
“Some of the measures undertaken require continual monitoring, review and action, as it involves information that has been publicly cached. We have shut down the site meanwhile.”
When ST visited the website on Friday, some of the data could still be publicly accessed via cached versions of the site, which are temporarily available versions of websites.
When asked if Chan Brothers Travel had informed any of the affected customers, the spokesman said it was progressively contacting affected customers.
“We are currently investigating this matter and ascertaining the extent and nature of information that was revealed. 
“We would like to assure our customers that no sensitive financial and booking information was revealed,” she said.
“That said, we recognise that no personal data should be exposed at all in any manner and that it is our responsibility and priority to protect our customers’ personal data.”
Andrew Goh, the co-founder of local fintech start-up Factors Platform, informed ST of the insecure data. 
He had come across it as he was in the midst of gathering datasets for his work.
He discovered that he could look up client inquiries and post-tour surveys on the Chan Brothers Travel site, which contained the personal information.
Said Goh: “I have found close to 500 entries in aggregate [inquiries and surveys], close to 450 of them are unique clients.”
He said he had found the data on May 15 evening and decided to go down to the travel agency’s office the next day to notify them about the issue. There, he met its IT director, who, he said, told him that the issue would be sorted out.
Later on May 16, Goh said a Chan Brothers Travel staff member called him to inform him that the problem had been fixed.
But when Goh checked again in the evening, the data was still publicly accessible.
The Chan Brothers spokesman said Goh was still able to view the information that evening as it “was stored in cached pages by the search engines’ servers”.
When asked what recourse Chan Brother will be providing its customers, its spokesman said that it will be “[addressing] their individual concerns personally”.
 

RELATED
nationthailand