In September 2020, a Singapore-based travel booking company got the phone call every business owner dreads — from a stranger. An American cybersecurity firm reached out with bad news: your customer database has been stolen, and it’s for sale on a hacker forum.
The company was Commeasure, operator of the hotel-booking platform RedDoorz, headquartered right here in Singapore. The haul: 5.9 million customer records — names, contact numbers, email addresses, birth dates, hashed account passwords, and booking histories. It remains the largest data breach the Personal Data Protection Commission has ever handled.
And here’s the sentence that should keep every SME owner in Singapore up at night. After a year and a half of investigation, the PDPC’s conclusion was blunt: “the incident could have been prevented.”
Not by a bigger security budget. Not by a team of specialists. By checking one forgotten file.
The whole breach came down to one old app file
The story is almost painfully ordinary, which is exactly why it’s worth studying.
Inside an old Android app package (APK) — last updated in 2018 and long considered “defunct” by the company — sat an Amazon Web Services access key. A live one. Embedded directly in the code, against AWS’s own explicit advice, and mislabelled internally as a “test key.”
That key was the master key to RedDoorz’s real customer database in the cloud. And because the APK was publicly downloadable from the Google Play Store, anyone who looked inside it could find the key. Someone eventually did — and with it, quietly walked out with 5.9 million records.
Now the part that stings. Commeasure did invest in security: it hired cybersecurity firms, ran security reviews, even used code-obfuscation tools. But because the old APK was considered defunct, it was left out of every review. The one file that mattered was the one file nobody examined. A security tool that could have blocked the key extraction wasn’t applied to it — same reason. The company later told regulators the failure to track its infrastructure access keys came down to high employee turnover: people left, and nobody was keeping the list.
That’s not an exotic hacking story. That’s a story about an unmaintained to-do list — the kind every growing SME has.
What it cost — and why the fine is the smallest number
The PDPC fined Commeasure S$74,000 — and explicitly noted it went easy because the pandemic had crushed the hospitality sector. Don’t let that number fool you into complacency, for three reasons.
First, the fine is never the real bill. The company had to engage external cybersecurity firms, run internal investigations, rebuild credentials and infrastructure, notify millions of customers, and manage global press coverage of its stolen data being hawked on hacker forums — with the brand-name damage of “Singapore’s largest data breach” attached to it permanently. For a business built on customer trust and repeat bookings, that long tail dwarfs S$74,000.
Second, the ceiling has been raised since. Singapore’s benchmark penalty at the time was the S$1 million in combined fines from the SingHealth breach (S$250,000 for SingHealth, S$750,000 for its IT provider IHiS). Today, the PDPA allows penalties of up to 10% of annual Singapore turnover or S$1 million, whichever is higher — meaning a RedDoorz-scale failure now could cost dramatically more.
Third, this keeps happening — to smaller companies. The PDPC’s recent enforcement reads like a warning aimed straight at SMEs. In the past two years alone it has fined a local SaaS provider whose web servers were publicly accessible, running outdated operating systems, and never security-tested — 689,000 people’s data ended up on a hacking forum — and an HR software firm whose breach exposed 95,000 employees’ records after an extortion email. Modest fines, five figures each, but the same pattern every time: ordinary web infrastructure, basic hygiene missed, real people’s data on the dark web.
The lessons, mapped to what actually failed
Every failure in the RedDoorz chain has a cheap, boring fix — and they’re the same fixes that protect any Singapore business with a website or app today:
- Keep an inventory of everything you’ve shipped. The breach lived in an app the company had forgotten it owned. Every website, app, subdomain, plugin, and cloud account you’ve ever launched is still your responsibility until it’s properly retired — “defunct” is not a security status.
- Never embed credentials in code. The AWS key sat inside a public app package, against the provider’s own advice. Keys and passwords belong in proper secrets management, rotated regularly — especially when staff leave, which was precisely Commeasure’s weak point.
- Scope security reviews to everything, not just the shiny parts. RedDoorz paid for security reviews that skipped the one asset that mattered. A review that excludes “old stuff” is a review of your least risky assets only.
- Assume staff turnover, and write things down. “High employee turnover” was the company’s own explanation for the untracked keys. If your access-key list lives in one employee’s head, your security does too.
- Watch for data leaving. The company learned about its own breach from a foreign security firm. Basic monitoring and alerting on your database and cloud accounts turns “a stranger phoned us” into “we caught it same-day.”
- Know your PDPA clock. Once a breach is assessed as notifiable — likely significant harm, or 500+ people affected — you have three calendar days to notify the PDPC. RedDoorz notified within a week of discovery, which counted in its favour; delay and concealment count hard the other way.
Notice what’s not on that list: expensive tools, a security department, anything an SME can’t do. The PDPC’s verdict wasn’t “they were outgunned.” It was “they didn’t check.”
The real takeaway for Singapore SMEs
The RedDoorz breach is the perfect SME cautionary tale precisely because the company wasn’t negligent in the cartoonish sense — it hired security firms, ran reviews, used protective tooling. It just had no complete picture of what it owned, and the gap between “we do security things” and “we know where all our data and keys actually are” swallowed 5.9 million records.
Most Singapore SMEs sit in exactly that gap. There’s a website built by an agency years ago, a mobile app from an old project, plugins nobody remembers installing, a hosting login shared over WhatsApp with someone who’s since left. None of it feels urgent — right up until the phone call from a stranger.
Where Oasis Web Asia comes in
This is precisely why we treat data protection as part of the build, not an add-on: proper credential management, access that gets revoked when people move on, PDPA-aligned data handling, and — crucially — a clear inventory of what exists and who can touch it. If your digital footprint has grown messy over the years (old sites, old apps, old vendors, shared logins), we can take an honest look and tell you where your RedDoorz-shaped gaps are — the same evidence-first approach behind the web development Singapore SMEs already trust us with.
If reading this made you wonder what forgotten file is sitting in your business, that’s exactly the conversation we like to have.
Start a conversation → — get a free consultation with our Singapore-based team.