RedDoorz data breach
A misconfigured cloud database exposed the records of about 5.9 million RedDoorz hotel-booking customers, making it Singapore's largest data breach at the time and drawing a record-context PDPC fine against operator Commeasure.
- Victim
- RedDoorz (Commeasure Pte Ltd)
- Loss
- $54.5K
- records
- 5.9M
- users
- 5.9M
In September 2020, Singapore-headquartered hospitality start-up RedDoorz suffered a breach that exposed roughly 5.9 million customer records β at the time the largest data breach since Singapore's Personal Data Protection Act (PDPA) came into force in 2014. The breach stemmed not from a sophisticated attack but from a cloud-credential left embedded in an old mobile app.
What happened
RedDoorz, operated by Commeasure Pte Ltd, runs a budget-hotel booking platform across Southeast Asia. On 19 September 2020, an American cybersecurity firm alerted the company that one of its databases had been accessed without authorisation. Commeasure notified the Personal Data Protection Commission (PDPC) on 25 September.
Investigators traced the exposure to an access key embedded in an outdated, unused Android APK still publicly available. The key granted access to a database hosted on Amazon Web Services, allowing an attacker to query and exfiltrate the full customer dataset. The PDPC found that Commeasure had no process to manage or remove credentials in legacy code and had not detected the exposure itself.
Impact
- About 5.9 million customer records were exposed, including names, contact numbers, email addresses, dates of birth, encrypted passwords and booking information.
- Masked credit-card numbers were present but the full card numbers and CVVs were not compromised, limiting direct financial fraud.
- Only around 9,000 affected customers were Singaporeans, but the breach fell under the PDPA because Commeasure is Singapore-based.
Penalty
On 15 November 2021, the PDPC fined Commeasure S$74,000 (about US$54,000). Although this was the largest breach by volume to date, the fine was comparatively modest β the Commission explicitly cited the financial hardship the COVID-19 pandemic had inflicted on the hospitality sector as a mitigating factor in setting the penalty.
Why it matters
The RedDoorz case became a textbook example of cloud-misconfiguration and secrets-management failure. The root cause β a hard-coded credential shipped in a mobile app and never rotated or revoked β is among the most common and preventable cloud-security mistakes. The PDPC's decision underscored that organisations are responsible for the full lifecycle of access credentials, including those buried in deprecated code, and that protective-obligation breaches can be enforced even when most affected individuals are overseas. It remains a frequently cited Singapore enforcement precedent for startups scaling on cloud infrastructure faster than their security practices.
Financial impact
Reported costs in USD
- Fines & settlements$54.5K
Timeline
Commeasure is alerted by a U.S. cybersecurity firm that a database holding customer data has been compromised.
Commeasure notifies Singapore's Personal Data Protection Commission of the breach.
Investigation finds an embedded access key in an old, unused Android APK exposed an AWS-hosted database of 5.9 million records.
The PDPC fines Commeasure S$74,000 for failing to put in place reasonable security arrangements.
The penalty and breach details are made public, then the largest data breach since Singapore's PDPA took effect.
Sources
- marketing-interactive.comhttps://www.marketing-interactive.com/personal-data-protection-commission-fines-reddoorz-sgs-site-operator-over-data-breach
- theregister.comhttps://www.theregister.com/2021/11/18/redoorz_fined_for_massive_data_leak/
- theindependent.sghttps://theindependent.sg/spores-largest-data-breach-affects-5-9-million-reddoorz-hotel-booking-site-customers/
- secureblink.comhttps://www.secureblink.com/cyber-security-news/reddoorz-incurred-a-fine-of-dollar54456-by-pdpc-of-singapore-following-a-data-breach-exposing-5.9-million-customers