Singapore fashion retailer Love, Bonito has been fined a modest US$17,500 as a result of a data breach in late 2019 which exposed information about 5500 customers.
The maximum fine for failing to adequately protect customer data is US$728,000 (SGD1 million).
In a written decision, Singapore’s Personal Data Protection Commission (PDPC) found the company had failed to put in place reasonable security arrangements to protect the personal data, which included names, phone numbers and credit-card details. The breach occurred when an unknown third party accessed Love, Bonito’s software.
The PDPC found that the retailer’s password policy was inadequate. Default security settings did not require employees to use passwords that could not be easily guessed. The password of the administrator account breached was “ilovebonito88” which – given the use of the company name made it relatively easy for hackers to decode using brute-force attacks.
Love, Bonito was breached in December 2019 and promptly communicated with affected customers. Systems have since been updated to prevent a repeat.