_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,232,232,1,952,"Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies.","[""Consent"", ""Purpose Limitation"", ""Notification"", ""Directions"", ""Others""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf,"Consent, Purpose Limitation, Notification",Breach of Consent and Other Obligations by Universal Travel Corporation,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the Respondent’s response to the Commission during the investigation, the Respondent confirmed to the Commission that it did not obtain consent from the 37 passengers to disclose their personal data to other parties. It also mentioned that none of the passengers had authorised the release of their personal data to third parties. The Respondent confirmed to the Commission that it also did not have any personal data policy in place at the material time. C. COMMISSION FINDINGS AND BASIS FOR DETERMINATION 7. The issues in this case to be determined are as follow: i. Has the Respondent complied with sections 131 and 202 of the Personal Data Protection Act 2012 (“PDPA”) in disclosing the personal data to the customers of the Balkans Tour? ii. Was the disclosure of the personal data made in accordance with section 18 of the PDPA,3 ie for purposes that a reasonable person would consider appropriate in the circumstances? iii. Has the Respondent complied with section 12(a) of the PDPA4 in developing and implementing policies and practices necessary to meet its obligations under the PDPA? Contraventions by the Respondent under sections 13 and 20 of the PDPA 8. The Commission notes that the Respondent intentionally sent the passenger list to the four individuals who had requested for confirmation of the flight cancellation. 9. However, the Respondent had not sought for or obtained any of the 37 passengers’ consent in disclosing their information contained in the passenger list to the other individual(s) who were requesting for the formal confirmation from the Respondent. In this regard, the Respondent did not have the requisite consent from the 37 passengers to disclose their personal data to other individual(s) under section 14 of the PDPA. 10. In relation to whether the 37 passengers could be deemed to have consented to the disclosure of the personal data under section 15 of the PDPA, the Commission finds that no such deemed consent can be imputed on the facts. The Commission notes that when the 37 passengers voluntarily provided their personal data to the Respondent, the purposes for providing their personal data did not include the purpose of allowing another passenger(s) to process his/her insurance claim. This is fortified by the Respondent’s confirmation that none of the passengers had agreed or authorised the release of their personal data to a third party. The Commission notes that each individual only required his or her flight details and confirmation of the flight delay in order to process his or her insurance claim. 11. In its submissions to the Commission, the Respondent claimed that the exception provided for in paragraph 1(a) of the Fourth Schedule of the PDPA (the “exception”) applied5 to the case and hence it was not required to seek the consent of the individuals concerned for the disclosure of the 37 passengers’ personal data. 12. Having considered the context and circumstances of the case, the Commission concludes that the aforesaid exception does not apply for the following reasons: i. “Interests of the individual” under Paragraph 1(a) of the Fourth Schedule should refer to the interests of the data subject. Disclosing the personal data of other passengers to a fellow passenger for the purpose of enabling that passenger to make a claim against his travel insurance policy for himself cannot be said to be in the interest of any one or all of the other passengers. ii. It does not appear obvious to the Commission that in order to make an insurance claim, details of all other affected passengers on the Balkans Tour had to be disclosed. For one, the Respondent could have provided the confirmation with only the details of the individual making the insurance claim. Alternatively, the other passengers’ details could be removed or redacted in the list when it was forwarded to the recipients. There is no suggestion otherwise that these actions could not be carried out. iii. There is nothing to suggest that consent for disclosure could not be secured from the passengers in the list in a timely manner, or that there was urgency in the matter which warranted the consent from the other passengers to be dispensed with. 13. In the circumstances, by disclosing the passenger list containing the personal data of the 37 passengers without obtaining their prior consent, the Respondent had contravened section 13 of the PDPA. Additionally, since the Respondent had also not informed of the purposes for which it was disclosing their personal data, it is also in breach of section 20 of the PDPA. Disclosure of personal data was not for purposes reasonable or appropriate in the circumstances or for purposes that the individual has been informed of under section 20 14. In view that the disclosure of the entire passenger list goes beyond supporting an individual customer’s insurance claim (as set out in paragraphs 12i and 12ii above), the disclosure could not be for purposes that a reasonable person would consider appropriate in the circumstances. 15. In addition, since the Respondent had not been informed of the purposes for which it was disclosing the passengers’ personal data, it was also not in compliance with section 20 of the PDPA. 16. In this regard, the Respondent was also in breach of section 18 of the PDPA. Failure to develop and implement policies and practices necessary to meet obligations under the PDPA 17. Given that the Respondent had not put in place data protection policies to ensure compliance with the PDPA at the material time when the data breach transpired, as confirmed by the Respondent in its response to the Commission’s request for information and documents on 13 August 2015, the Respondent was in breach of section 12(a) of the PDPA. 18. The Commission notes from the Respondent’s response of 24 August 2015 that the Respondent is taking steps to set up guidelines with regard to the use and disclosure of customers’ personal data to comply with section 12(a) of the PDPA. D. ENFORCEMENT ACTION TAKEN BY THE COMMISSION 19. Given the Commission’s findings that the Respondent is in breach of its obligations under sections 12(a), 13, 18 and 20 of the PDPA, the Commission is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 20. In exercise of the power conferred upon the Commission pursuant to section 29 of the PDPA, the Commission directs the Respondent to take the following steps: i. To put in place within 3 months a data protection policy and internal guidelines to comply with the provisions of the PDPA and, in particular, to prevent future recurrences of the breaches that has occurred in this matter; ii. To inform within 2 weeks the individuals who received the passenger list not to disclose the list to other third parties; iii. For all employees of the Respondent handling personal data to attend a training course on the obligations under the PDPA and the organisation’s data protection policies within 6 months from the date of this decision; and iv. To inform the Commission of the completion of each of the above within 1 week. 21. On a balance, the Commission has decided not to impose a financial penalty on the Respondent in view of the overall circumstances of the matter, namely: i. that the disclosures were made to a limited number of persons and to their personal email addresses; ii. that the personal data that was disclosed was in relation to limited individuals; iii. that the disclosures were not due to a systemic issue that could result in further disclosures to be made or further harm to be caused; iv. that the disclosures appear to be caused by the lack of awareness on the Respondent’s employees’ part of data protection obligations; and v. that the disclosures were bona fide mistakes made by the Respondent’s employees who were seeking to assist the passengers with their insurance claims, and not one where there was a wilful disregard for the provisions in the PDPA. 22. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION 1 Section 13 of the PDPA prohibits an organisation from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data. This provision is also to be read with Section 14, 15 and Section 20 of the PDPA. 2 Section 20 of the PDPA requires, amongst other things, that an organisation informs an individual of (a) the purposes for the collection, use or disclosure of personal data, on or before collecting the personal data; and (b) any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a) above before the use or disclosure of the personal data for that purpose. 3 Section 18 of the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes (a) that a reasonable person would consider appropriate in the circumstances; and (b) that the individual has been informed of under section 20, if applicable. 4 Section 12(a) of the PDPA provides that an organisation shall develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation. 5 Paragraph 1(a) of the Fourth Schedule of the PDPA states that an organisation may disclose personal data about an individual without the consent of the individual if the disclosure is necessary for any purpose which is clearly in the interests of the individual and if consent for its disclosure cannot be obtained in a timely way. ",Directions,5a0ff182bd0082f840e509fc39079487ae98fb3a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,233,233,1,952,A warning was issued to YesTuition Agency for disclosing tutors’ personal data on its website without consent.,"[""Consent"", ""Warning"", ""Education"", ""YESTUITION"", ""Tuition""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---yestuition-agency-(210416).pdf,Consent,Breach of Consent Obligation by YesTuition Agency,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-obligation-by-yestuition-agency,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1407-A028 YESTUITION AGENCY (UEN No. 53084839B) …Respondent Decision Citation: [2016] SGPDPC 5 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. On 16 July 2014, the Personal Data Protection Commission (“Commission”) received information that YESTUITION AGENCY (UEN 53084839B) (the “Respondent”) had disclosed on its website the NRIC numbers and images of certain individuals who had registered to be tutors with the Respondent and it was alleged that they had done so without the consent of the individuals concerned. 2. In light of the information received, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (No. 26 of 2012) (the “PDPA”) to ascertain whether there had been a breach by the Respondent of its obligations under the PDPA. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is a locally registered business providing home tuition matching services to individuals seeking tutors for primary to A-levels education. The Respondent renders its matching services via a website, which it operates at www.yestuition.sg (the “Site”). 4. The Site consists of various webpages that are accessible to the public and a tutors’ log-in portal which is accessible only by individuals who had registered with the Respondent to be a tutor. Disclosure of NRIC numbers and images by the Respondent 5. From the Commission’s examination of the Site, it was found that the Respondent had published images of its tutors on its Site. The tutors’ images were stored in a JPEG file format and named using the tutors’ respective NRIC particulars, for example, as 1234567A.jpg. As such, the Respondent had also disclosed the tutors’ respective NRIC numbers with the images. CONFIDENTIAL Page 1 of 5 6. The NRIC numbers and images were at the material time made publicly discoverable and accessible via a directory listing on one of the Site’s pages. Investigations by the Commission indicate that there were approximately thirty (30) individuals whose images and NRIC numbers were listed by the Respondent in the directory listing. The Respondent’s responses to the Commission 7. In its responses to the Commission during the investigation, the Respondent represented that it had more than 10,000 tutors’ profiles on its Site. It asserted that these profiles were not disclosed to members of the public. 8. The Respondent explained that individuals who wished to register with the Respondent as tutors were required to provide the following set of information to it by filling out a form made available on the Site (the “Form”): (a) (b) (c) (d) (e) (f) (g) Full names; NRIC numbers; Residential addresses; Mobile numbers; Email addresses; Education backgrounds; and Relevant tutoring experiences. 9. Using the above information, the Respondent would then match the tutors to the appropriate students, and in return, collect a fee for the matching service. 10. The Respondent also represented to the Commission that tutors who submitted their personal data via the Site would have provided either their express or deemed consent to the collection, use, and disclosure of their personal data by the Respondent for the purposes of providing the tutors with tuition matching services. In this regard, the Commission notes that the Form expressly notified tutors that: “By submitting this form, you hereby accept all terms & conditions as well as consent to be included in the mailing list of Yes Tuition to receive all information from us (Yes Tuition) electronically. Please be assured that we do not sell your personal information to third parties, and we will abide by our Privacy Policy”. 11. The Commission also sets out below the more pertinent terms of The Respondent’s Privacy Policy, which was referred to in the Form and available on The Respondent’s Site at the material time, as follows: “Tutor A tutor is a person who registers and maintains an account with Yes Tuition. When you register as a tutor we ask for information such as your name, identification number, email address, passwords, telephone Page 2 of 5 number, gender, occupation, qualification, and subjects you are interested to teach. Once you register with Yes Tuition and sign in to our services, you are not anonymous to us. Tutors can go on-line to access their personal profile, and make changes to the subjects they are interested to teach and their personal information. … Tutor Yes Tuition will not share personal information with any other third parties without your permission, unless required by, or in connection with, law enforcement action, subpoena or other litigation, or applicable law. Yes Tuition will not sell, trade or lease your personal information to others. Choice and Consent Yes Tuition does not require that you provide Yes Tuition with personal information. The decision to provide personal information is voluntary. If you do not wish to provide the personal information requested, however, you may not be able to proceed with the activity or receive the benefit for which the personal information is being requested. Except as expressly stated otherwise in this Privacy Statement, you may opt out of having Yes Tuition share personal information with third parties as described in this Privacy Statement by notifying Yes Tuition in writing of your desire to do so. … (Emphasis underlined)” COMMISSION’S FINDINGS AND ASSESSMENT Relevant issue 12. 13. Under section 13 of the PDPA, organisations are prohibited from collecting, using or disclosing personal data about an individual unless: (a) the individual gives, or is deemed to have given, consent under the PDPA to such collection, use or disclosure; or (b) collection, use or disclosure of the personal data (as the case may be) is authorised or required under any written law. In this case, the primary issue in this case is whether the Respondent had the tutors’ consent for their disclosure of their NRIC numbers and images to members of the public. Page 3 of 5 Commission’s Findings 14. As noted above, the Respondent collected several categories of personal data from its tutors. With the exception of the tutors’ NRIC numbers and images, it generally did not disclose these data to members of the public. The Commission notes that this is in line with the terms of the Respondent’s own Privacy Policy. 15. However, the Commission is of the view that the Respondent had not obtained its tutors’ consent for disclosure of their images and NRIC numbers, which had been published on one of the pages of the Site. In this regard, the Commission further notes that such disclosure ran counter to the terms of the Respondent’s own Privacy Policy. 16. In light of the foregoing, the Commission is of the view that the Respondent had disclosed the personal data of some of its tutors without their consent, and it is therefore in breach of section 13 of the PDPA. ENFORCEMENT ACTION BY THE COMMISSION 17. Given the Commission’s findings that the Respondent is in breach of its obligations under section 13 of the PDPA, the Commission is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 18. In considering whether a direction should be given to the Respondent in this case, the Commission notes the following: 19. (a) The Respondent took proactive steps to restrict access to the relevant page containing personal data on the Site once it was made aware of the issue, and changed its practice of using its tutors’ NRIC numbers as the file names of their images; and (b) The Respondent had been cooperative with the Commission and forthcoming in its responses to the Commission during the Commission’s investigation. In view of the factors noted above, the Commission has decided not to issue any direction to the Respondent to take remedial action or to pay a financial penalty. Instead, it has decided to issue a Warning against the Respondent for the breach of its obligations under section 13 of the PDPA. Page 4 of 5 20. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION Page 5 of 5 ",Warning,20a97b6ebe97b71c317c4befaebf71b555f828dd,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,234,234,1,952,"A warning was issued to Challenger Technologies and its data intermediary, Xirlynx Innovations, for failing to make reasonable security arrangements to prevent unauthorised disclosure of Challenger members’ personal data while sending out emails to some 165,000 members.","[""Protection"", ""Warning"", ""Wholesale and Retail Trade"", ""Others"", ""CHALLENGER"", ""XIRLYNX""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---challenger-technologies-(210416).pdf,Protection,Breach of Protection Obligation by Challenger Technologies and Xirlynx Innovations,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-challenger-technologies-and-xirlynx-innovations,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A103 (1) (2) CHALLENGER TECHNOLOGIES LIMITED (U.E.N. 198400182K) XIRLYNX INNOVATIONS (U.E.N. 52942580K) …Respondents Decision Citation: [2016] SGPDPC 6 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. The Personal Data Protection Commission (the “Commission”) received a complaint from a member of the public on 15 September 2014 concerning an alleged data breach by Challenger Technologies Limited (“Challenger”). In brief, the complainant alleged that Challenger had sent email communications to members of its ValueClub programme, which contained the personal data of another ValueClub member. 2. The Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by Challenger of its obligations under the PDPA. 3. In the course of its investigation, the Commission found that the email communications in question (which were sent to Challenger’s ValueClub members) had been sent by Xirlynx Innovations (“Xirlynx”), a business engaged by Challenger to handle all its email communications to members of Challenger’s ValueClub programme. The Commission’s investigation therefore also examined whether there had been a breach by Xirlynx of its obligations under the PDPA. 4. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 5. Challenger is a retailer of information technology (“IT”) and other electronic products with several outlets around Singapore. As part of its customer relations efforts, Challenger established a customer membership programme known as ValueClub, which provides members with membership savings and discounts (amongst other benefits), and enables them to earn and accumulate ValueClub programme points which may be redeemed to offset the cost of purchases made at Challenger outlets. 1 6. Xirlynx is a third party IT vendor, which is registered and managed by its sole proprietor, [Redacted] (Replaced with Mr T). 7. Some time in or around March 2010, Challenger engaged Xirlynx to manage and execute Challenger’s email campaigns under a contract for an “Email Blasting Package”. The services provided by Xirlynx to Challenger under the contract included managing Challenger’s ValueClub membership database and sending Challenger’s weekly advertisements of promotions and monthly ValueClub e-statements to ValueClub members. 8. Challenger thereafter periodically renewed its “Email Blasting Package” contractual engagement with Xirlynx for the latter to send email communications to ValueClub members, including the email communications which are the subject of the Commission’s present investigation. 9. In September 2014, Xirlynx sent the monthly ValueClub e-statements for that month to the ValueClub members by email (the “September Emails”). However, many of the September Emails contained personal data of another ValueClub member, including their name, expiry date of their ValueClub membership and total number of ValueClub programme points accumulated by the other member. How the Data Breach Occurred 10. In Challenger’s responses to the Commission during the investigation, Challenger indicated that it had, upon being notified of the matter by the Commission, informed [Redacted] (Replaced with Mr T) of Xirlynx about the alleged breach because Xirlynx managed Challenger’s ValueClub membership database and was the party responsible for sending out email communications to the ValueClub members. Challenger also conducted an internal investigation to ascertain the cause of the data breach. 11. Following its internal investigation, Challenger represented to the Commission that the root cause of the data breach was a processing error by their vendor, Xirlynx. 12. Challenger also represented to the Commission that it had taken remedial actions to inform the affected ValueClub members regarding the data breach and to rectify the mistakes caused by Xirlynx’s error. In addition, Challenger represented that it had taken the extra precautionary step of terminating Xirlynx’s services upon discovering the cause of the data breach, and it reviewed its ValueClub communication processes to prevent a reoccurrence of the data breach. 13. Separately, in Xirlynx’s responses to the Commission during the investigation, Xirlynx explained that in September 2014, it had been instructed by Challenger to email that month’s ValueClub e-statements to ValueClub members. Xirlynx further explained that the following steps comprise its usual workflow for sending the ValueClub e-statements to ValueClub members: 2 (a) Xirlynx would receive a copy of the contents for the ValueClub estatements from Challenger one day before the intended email blast. (b) Xirlynx would adapt the contents received from Challenger into a ValueClub e-statement HTML template. At this point, variables such as members’ names, the expiry date of their ValueClub membership and their total number of existing ValueClub programme points, would have not yet been inserted into the HTML template. (c) Xirlynx would then send the adapted layout to Challenger for its approval. Upon approval, Challenger would send to Xirlynx its updated ValueClub membership database with the latest ValueClub programme points for each members, listed in a text file (.txt) format. (d) As Challenger’s membership database contains duplicate email addresses, Xirlynx would import the database into an Excel worksheet and remove any duplicates using Excel’s “Remove Duplicates” function. (e) The scrubbed database would then be imported into Xirlynx’s email blast system, and the ValueClub e-statements sent out to the ValueClub members. 14. For the September 2014 ValueClub e-statements, Xirlynx explained that it had carried out the usual steps listed above. However, while using the “Remove Duplicates” function in Excel to remove the email duplicates from Challenger’s membership database, Xirlynx admitted that it had inadvertently also caused an Excel column in the worksheet containing a list of ValueClub members’ names, and an Excel column containing a list of the members’ email addresses, to be mismatched. This mix up resulted in some ValueClub members’ personal data, specifically, their names, ValueClub membership expiry dates and ValueClub programme points being sent to other ValueClub members in the September Emails. In short, Xirlynx’s error in the processing of the membership database led to the occurrence of the data breach. 15. Xirlynx informed the Commission that ValueClub e-statements with personal data of another ValueClub member had been sent to 165,306 ValueClub members. Xirlynx further represented that “only 34,230 recipients [of the September Emails] that had opened the e-statements were affected”. The Commission understands that Xirlynx derived this smaller number from its data on the number of ValueClub e-statements in the September Emails which were actually accessed by the ValueClub members. The Commission notes that this does not take into account the possibility of additional members accessing the emails in the future. On balance, the Commission is of the view that since the September Emails had been sent to 165,306 ValueClub members and would likely remain in their email account until accessed or deleted by those members, it cannot be said that only 34,320 members were affected. The Commission therefore takes the view that 165,306 members’ personal data had been disclosed to other members. 3 COMMISSION’S FINDINGS AND ASSESSMENT Issues to be determined 16. The ValueClub e-statements sent in the September Emails each contained a data set that identified another ValueClub member (who was an individual) by his or her full name, and provided the details of the member’s accumulated ValueClub programme points and the expiry date of the member’s ValueClub membership. The contents of the e-statements therefore come within the definition of “personal data” in section 2(1) of the PDPA.1 17. Under section 24 of the PDPA, an organisation is required to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 18. Accordingly, a key issue in this case is whether Xirlynx had breached its obligations under section 24 of the PDPA. 19. Although Xirlynx had sent the September Emails to ValueClub members, the Commission notes that Xirlynx was processing Challenger’s ValueClub members’ database and sending the September Emails to the ValueClub members for Challenger pursuant to their contract. Related to this, section 4(3) of the PDPA provides that an organisation shall have the same obligation under the PDPA in respect of personal data that is processed on its behalf and for its purposes by a data intermediary as if the personal data was processed by the organisation itself. 20. As such, two additional issues in this case are: (a) Whether Xirlynx was a data intermediary of Challenger in respect of the events that caused the data breach; and (b) If so, whether Challenger had breached its obligations under section 24 of the PDPA. The Commission’s Decision on the Issues Whether Xirlynx is a data intermediary of Challenger 21. Under section 2(1) of the PDPA, a “data intermediary” is an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation.2 22. Section 2(1) also defines the term “processing”, in relation to personal data, to mean the carrying out of any operation or set of operations in relation to the personal data including, but not limited to, any of the following: (a) (b) Recording; Holding; 4 (c) (d) (e) (f) (g) Organisation, adaptation or alteration; Retrieval; Combination; Transmission; Erasure or destruction.3 23. Having reviewed the “invoice no. 2013-01549 from Xirlynx to Challenger dated 31 December 2013”, and a “non-disclosure agreement dated 24 April 2014, entered into by [Redacted] (Replaced with Mr H) and [Redacted] (Replaced with Mr T)on behalf of Challenger and Xirlynx respectively” which was provided by Xirlynx to the Commission, and based on the facts set out at paragraph 13, the Commission is of the view that Xirlynx had processed personal data of Challenger’s ValueClub members pursuant to the arrangement between Xirlynx and Challenger and they had done so on behalf of Challenger. Further, Challenger had clearly relied on Xirlynx to process its ValueClub members’ personal data to send the email communications in question. Xirlynx was therefore a data intermediary of Challenger for the purposes of the PDPA. 24. As Xirlynx was a data intermediary of Challenger, Challenger has the same obligations under the PDPA in respect of Xirlynx’s processing of personal data, as if the personal data had been processed by Challenger (per section 4(3) of the PDPA). 25. However, this does not affect Xirlynx’s obligations under section 24 of the PDPA as that section applies equally to data intermediaries who process personal data on behalf of and for the purposes of another organisation pursuant to a contract in writing. In this regard, section 4(2) of the PDPA excludes the application of Parts III to VI of the PDPA, except for sections 24 and 25, to such data intermediaries. Whether Xirlynx had breached section 24 of the PDPA 26. The fact that a data breach had occurred was undisputed by both Xirlynx and Challenger. The Commission therefore considered whether Xirlynx had made reasonable security arrangements to prevent the data breach from taking place. 27. From Xirlynx’s representations to the Commission, it was clear that it fell on Xirlynx, as part of its email blasting services, to ensure that the correct individualised ValueClub e-statement was sent to the correct intended recipient. Xirlynx’s use of the Excel duplicate removal function while processing Challenger’s ValueClub members database was part of this service. 28. It was therefore Xirlynx’s responsibility to ensure that processing of Challenger’s ValueClub members database was done in the correct manner so as to ensure that the correct set of personal data was sent by Xirlynx to each ValueClub member. The occurrence of the data breach is a prima facie 5 indication that Xirlynx had not fulfilled its responsibilities in respect of processing and sending personal data. 29. The Commission further notes that Xirlynx’s error could have been caught if it had proof read random samples of the ValueClub e-statements before the estatements were sent out to verify that the names of the individuals in the estatements matched the email addresses to which the e-statement was sent. 30. Sample proof-reading was a reasonable security arrangement that could have been conducted by Xirlynx given the nature of the services it provided, and which would likely have either averted the data leak or greatly reduced the number of individuals affected. The sample size should be appropriate relative to the total number of recipients. 31. Accordingly, the Commission takes the view that by failing to ensure that the correct personal data was sent to ValueClub members via the September Emails, Xirlynx had breached its obligations under section 24 of the PDPA. Whether Challenger had breached its obligation under section 24 of the PDPA 32. In light of the Commission’s above finding that Xirlynx is a data intermediary of Challenger, it follows from section 4(3) of the PDPA that Challenger is obliged to protect the personal data administered by Xirlynx as if Challenger had processed the personal data itself. Section 4(3) of the PDPA states: “An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.” (Emphasis added.) 33. The Commission’s findings regarding the failure by Xirlynx to fulfil its responsibilities and obligations under the PDPA are therefore equally relevant in determining whether there was a breach of section 24 of the PDPA by Challenger. 34. In addition, the Commission notes that Challenger had heretofore neglected to exercise control over Xirlynx’s workflow in the processing of Challenger’s ValueClub membership database and the sending of email communications to ValueClub members. Challenger had left it to Xirlynx to implement measures required to protect the personal data Xirlynx processed and, until the data breach occurred, had not considered what requirements it would want to implement to ensure that the personal data was appropriately protected, in accordance with section 24 of the PDPA. 35. Accordingly, the Commission is of the view that Challenger had similarly breached its obligation under section 24 of the PDPA. 6 ENFORCEMENT ACTION BY THE COMMISSION 36. Given the Commission’s findings that both Challenger and Xirlynx were in breach of their respective obligations under section 24 of the PDPA, the Commission is empowered under section 29 of the PDPA to issue such directions as it deems fit to ensure compliance with the PDPA. This may include directing either or both parties to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 37. In considering whether to give such a direction in this case, the Commission notes the following: (a) The personal data leaked was limited (comprising only ValueClub members’ names, their membership expiry dates, and accumulated ValueClub programme points) and not of a sensitive nature; (b) The personal data leaked could not be used by the individuals who had received them to profiteer or benefit from them, and was unlikely to lead to any harm or loss to the individuals concerned; and (c) Both Xirlynx and Challenger had been cooperative with the Commission and forthcoming in their responses to the Commission during the Commission’s investigation. 38. The Commission also notes that Challenger had taken several proactive steps to remedy the breach, including engaging a new IT vendor and hiring the services of a data protection consultant. 39. In view of the factors noted above, the Commission has decided not to issue any direction to either Challenger or Xirlynx to take remedial action or to pay a financial penalty. Instead, it has decided to issue a Warning to Challenger and Xirlynx respectively for the breach of their respective obligations under section 24 of the PDPA. 40. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION 7 1 See section 2(1) of the PDPA. 2 See section 2(1) of the PDPA. 3 See section 2(1) of the PDPA. 8 ",Warning,cfdfd40c619176ddcb5c6ee791b4020b5ac902bc,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,235,235,1,952,"A warning was issued to Full House Communications for failing to make reasonable security arrangements to prevent unauthorised disclosure of personal data on its computers at a furniture fair, which collected the data for a lucky draw.","[""Protection"", ""Warning"", ""Admin and Support Services"", ""FULL HOUSE""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---full-house-communications-(210416).pdf,Protection,Breach of Protection Obligation by Full House Communications,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-full-house-communications,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1503-A368 FULL HOUSE COMMUNICATIONS PTE LTD [Reg. No. 199405394C] ... Respondent Decision Citation: [2016] SGPDPC 8 GROUNDS OF DECISION 20 April 2016 A. INTRODUCTION 1. The Complainant, [Redacted] (Replaced with Mr L), submitted a complaint to the Personal Data Protection Commission (the “Commission”) on 4 March 2015 in respect of the way that the Respondent had collected and protected1 personal data2 at a lucky draw redemption counter operated by the Respondent. The specific matters that were raised in his complaint were as follows: a. The auto-fill function was enabled for the forms on the Respondent’s laptops that a participant had to fill up to register for the lucky draw. This allowed a user to view from a drop-down box the historical entries containing the personal information of the previous registering participants. b. The Respondent’s laptop screens were in plain view of customers waiting in line behind the Complainant, which allowed them to view the personal information that was being entered into the laptop. c. The page containing the form was accessed through an unsecured Mozilla Firefox browser at the site: http://localhost/coupon/finish.php. d. The Respondent’s staff did not appear to be adequately trained to ensure the protection of personal data collected at the redemption counter. B. MATERIAL FACTS AND DOCUMENTS 2. The lucky draw that the Respondent had organised was for a Furniture Fair that took place from 28 February 2015 to 8 March 2015 at the Singapore Expo Hall 7. On 1 March 2015, the Complainant and his mother had attended the Furniture Fair and had purchased items which entitled the Complainant to CONFIDENTIAL Page 1 of 5 participate in the Respondent’s lucky draw. To participate in the lucky draw, a participant was required to register his or her personal details in the laptops provided by the Respondent at the redemption counter, including the individual’s name, identity card number, occupation, contact number, email address and residential address. The form would then be printed out and dropped into a box for the lucky draw. 3. While entering the personal details of his mother in the computerised form, the Complainant had four (4) main concerns about the level of protection of the personal data that was provided by the Respondent, as mentioned at paragraph 1 above. 4. Following from the Commission’s investigation into the matter, Respondent’s responses to the Commission were, in essence, as follow: 5. the a. The Respondent acknowledged that the auto-fill function had been enabled for all the fields in the form for the convenience of customers. b. The Respondent maintained that the personal data entry into the laptops had been in the presence of its staff, and they would watch the customers and ensure that no one would not be able to take photos of the personal information displayed on the laptops. c. The forms were not accessible to the Internet. d. Subsequent to receiving the Commission’s notification of this matter, the Respondent had taken remedial actions during the ongoing Furniture Fair. The Commission also understands that the Respondent had taken remedial actions as follow: a. The Respondent said it changed its practices by having the entries into the forms in the laptops made by its staff instead of by the registering participants themselves. b. The Respondent also said that it had re-configured the table arrangements so that the screens of the laptops were aligned away from the view of registering participants in queue at the redemption counter. C. COMMISSION FINDINGS AND BASIS FOR DETERMINATION 6. The Commission’s findings on the four issues raised are as follows. Issues at pargraphs 1a and 1d: The Respondent’s failure to protect personal data by enabling the Auto-fill function and the failure of the Respondent’s staff to protect personal data CONFIDENTIAL Page 2 of 5 7. In the Commission’s assessment, by enabling the auto-fill function, this permitted a user to have access to the personal data of other individual(s) that was stored on the Respondent’s laptops. 8. The Respondent has pointed out that the information that a user would have access to was confined to information found within that particular drop-down box, and that the entries were not listed in chronological order of the time that they were entered into the system. In this regard, it would be difficult to draw a connection between the entries in the various drop-down boxes to link them to a particular individual. It follows from this line of argument that the information that a user would have access to would not be personal data, but simply generic information, and hence the Respondent was not in breach of Section 24 of the PDPA. 9. The Commission disagrees with this line of argument. It was noted that the information that was displayed in the drop-down boxes included the individual’s name, identity card number, contact number, email address. Based on the definition of “personal data” under the PDPA, some of these information would, by themselves or collectively, amount to personal data. For example, by having a person’s full name in the drop-down box alone, one would be able to identify the person who had registered as a participant of the Furniture Fair. Therefore, even if a person had access to the information in a single drop-down box, that may be sufficient in identifying an individual. 10. The Commission also notes that there may be certain instances where a link could be drawn between the information across fields – ie such as the instance where an email address containing part of the individual’s name could be linked to the full name of the individual, and hence, identify that individual. 11. In the premises, the Commission finds that by enabling the auto-fill function for the drop-down boxes, the Respondent had failed to make reasonable security arrangements under Section 24 of the PDPA. 12. While the Respondent claimed that its staff had been present to monitor unauthorised user access to data stored in the system, however, the Commission notes that the Respondent was providing the very function itself (by enabling the auto-fill function) that would allow a user access to personal data of the other individuals. In this regard, the Commission is of the view that the staff presence (if any) would not have made any difference in preventing any user from accessing the personal data stored on the system. 13. Notwithstanding the Commission’s view about the presence of the staff at the redemption counter, the Commission makes no finding on the other allegation raised by the Complainant at paragraph 1d above (ie that the Respondent’s staff could not ensure the protection of personal data), as there was no evidence of an actual failure by the Respondent’s staff to protect the personal data collected by the laptops. CONFIDENTIAL Page 3 of 5 Issue at paragraph 1b: Laptop screens were in plain view of other customers 14. In relation to the allegation that the Respondent’s laptop screens were in plain view of the other customers, the Commission notes that there is no evidence that other customers could easily observe the information displayed on the laptop screens. The Commission further notes the assurance given by the Respondent that its staff was on hand to watch over the laptops and, in particular, to ensure that other individuals do not take photographs of the laptop screens. The Commission therefore makes no finding in respect of this allegation. Issue at paragraph 1c: Computerised forms accessed through unsecured Mozilla Firefox browsers 15. In respect of the allegation that the computerised forms were accessed through unsecured Mozilla Firefox browsers, the Commission notes that the forms and the personal data were collected and stored on the local hard drives and were not accessible on the internet. The Commission is of the view that of the risk of online attacks or intrusion to these laptops where the personal data was held could not be ascertained. The Commission therefore makes no finding in respect of this allegation. D. ACTIONS TAKEN BY THE COMMISSION 16. Given the Commission’s findings that the Respondent is in breach of its obligations under Section 24 of the PDPA, the Commission is empowered under Section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 17. In considering whether a direction should be made or given to the Respondent in this case, the Commission notes that: (a) the impact of the breach is limited, since, in the given circumstances, a user would have had limited time to observe and collect personal data in the drop-down boxes; and (b) the Respondent took action shortly after the complaint was made to stop the use of the drop-down boxes and to arrange for its staff to fill in the forms themselves. 18. In view of the factors noted above, the Commission has decided not to issue any direction to the Respondent to take remedial action or to pay a financial penalty. Instead, it has decided to issue a Warning against the Respondent for the breach of its obligations under Section 24 of the PDPA. CONFIDENTIAL Page 4 of 5 19. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION 1 Section 24 of the PDPA states that an organisation is obliged to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Section 24 of the PDPA came into effect on 2 July 2014. 2 Personal data” as referred to in Section 24 of the PDPA refers to data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access. CONFIDENTIAL Page 5 of 5 ",Warning,c855c0d45a390605ad222378eaba45c50f51a246,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,236,236,1,952,"A financial penalty of $5,000 was imposed and directions issued to Fei Fah Medical Manufacturing for failing to implement proper and adequate protective measures to secure its website and server, resulting in unauthorised disclosure of the personal data of more than 900 customers.","[""Protection"", ""Financial Penalty"", ""Directions"", ""Healthcare"", ""FEI FAH"", ""MEDICAL"", ""TCM""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---fei-fah-medical-manufacturing-(210416).pdf,Protection,Breach of Protection Obligation by Fei Fah Medical Manufacturing,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-fei-fah-medical-manufacturing,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A145 FEI FAH MEDICAL MANUFACTURING PTE. LTD. (UEN No. 199800455H) …Respondent Decision Citation: [2016] SGPDPC 3 GROUNDS OF DECISION 20 April 2016 Background 1. Fei Fah Medical Manufacturing Pte. Ltd. (UEN 199800455H) (“Fei Fah Medical”) is a locally registered company specialising in the development and manufacture of healthcare and beauty products. The Ripple Website 2. Fei Fah Medical operates a website under the name Ripple Tea Company at www.ripple.com.sg (“Site”). 3. The Site consists of both publicly accessible pages, and a members’ portal (which is accessible only by individuals who had signed up with Fei Fah Medical under a membership scheme called Ripple Club, upon logging into the portal with their respective user identifications (“IDs”) and passwords). Data Leak Incident 4. On 29 September 2014, the Personal Data Protection Commission (“Commission”) was informed that information of users of the Site had been posted on http://pastebin.com (“Pastebin”), a website which allows members of the public to post and share text online publicly (the “Data Leak”). 5. The relevant information was ostensibly uploaded onto the Pastebin website by a Pastebin user with the username “KAMI_HAXOR”, in the form of a post in plain text that could be publicly viewed by any visitor to the Pastebin website. 6. The post was undated and captioned “Ripple Tea Company Singapore 900+ Users emails+passes+Names+mobile Numbers With Subscribers Emails Leaked By KaMi HaXor”. CONFIDENTIAL Page 1 of 7 7. 8. The post contained a list of data, which were numbered from 1 to 2,981, ostensibly to indicate that there were 2,981 entries in it. The data in the post appeared to be have been sorted into the following three categories: (a) Email addresses – there were 1114 entries of email addresses. The email addresses were unaccompanied by other data or identifiers. 219 of the entries contained “.sg” domain names; (b) User ID and encrypted passwords to Ripple Club accounts – there were 876 entries of user IDs and passwords, which had been encrypted using an MD5 message-digest algorithm, a commonly used cryptographic hash function producing a 128-bit (16-byte) hash value; and (c) Telephone numbers – there were 836 entries of telephone numbers containing between seven and ten digits. It was unclear whether the telephone numbers were Singapore or Hong Kong telephone numbers as the format of telephone numbers used by the countries is similar. In light of the information received, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (No. 26 of 2012) (the “Act”) to ascertain whether there had been a breach by Fei Fah Medical of its obligations under the Act. Nature of the Data Leak Incident 9. In its responses to the Commission, Fei Fah Medical confirmed that the data in the list were those of prospective customers and general enquirers to its Ripple brand products. 10. Fei Fah Medical further confirmed that the data was collected via its Site and stored in a database based in Hong Kong. Fei Fah Medical had outsourced all its web development and hosting functions to its Hong Kong-based data intermediary, IT Factory. IT Factory had in turn engaged HKNet Company Limited, also based in Hong Kong, to provide the actual hosting services for the database. 11. Fei Fah Medical indicated that it had no knowledge of the Data Leak prior to receiving the Commission’s Notice dated 1 October 2014. However, after being alerted to the Data Leak, it sent email notifications to all affected individuals, informing them that there had been hacking activity on the Site and that their personal data may have been compromised. 12. Fei Fah Medical also took steps to instruct IT Factory to remove all data collecting functions from its Site. However, as these instructions failed to be carried out by IT Factory, new data continued to be collected via the Site till 30 July 2015 (almost ten months after Fei Fah Medical was first notified about the Data Leak), when the Commission alerted Fei Fah Medical to the fact that the Site still retained its data collecting functions. Page 2 of 7 13. Fei Fah Medical was unable to ascertain how the Data Leak could have occurred and did not appear to be familiar with the security measures which were used on the Site at the material time: In fact, in its responses to the Commission, Fei Fah Medical simply stated the cause of the Data Leak to be “unknown” and was unable to provide any logs or files capturing the intrusion to its data system. 14. Fei Fah Medical also appeared to be uncertain about which individuals or organisation had access to the leaked data. Although Fei Fah Medical initially stated that the leaked data was only accessible by “the actual host” HKNet Company Limited, it later clarified that the data was also accessible at the material time by its own backend administration staff (i.e. those who administered the database), and by using the staff ID of one of its directors, [Redacted] (Replaced with Mr L). Additionally, it admitted that it would have been possible for a hacker to access the database to extract the data by seeding “some program in the server”. 15. Overall, Fei Fah Medical was unable to explain how the Data Leak occurred. It was also unable to explain or provide sufficient information on the security measures implemented on either the Site or database at the material time. 16. In relation to the number of individuals affected by the Data Leak, the Commission notes that the title of the post indicates that the data of approximately 900 users had been disclosed in the data list. Although Fei Fah Medical claimed that not all the information in the data list was accurate, it did not dispute the number of users who were affected by the Data Leak. 17. Having reviewed the relevant facts and circumstances, including the written responses to the NTPs1 submitted by Fei Fah Medical, the Commission sets out below its findings and assessment in relation to the Data Leak. THE COMMISSION’S FINDINGS AND ASSESSMENT Personal Data Leaked 18. As noted above, there were three categories of data found in the post at the Pastebin website. Fei Fah Medical acknowledged in its representations to the Commission that the data in the post were those of prospective customers and general enquirers to its Ripple brand products. Fei Fah Medical also acknowledged that personal data of Ripple Club members was stored in its database, which could be retrieved with the appropriate user ID and password. 19. Although the passwords were encoded, they had been encoded using an MD5 message-digest algorithm, a commonly used cryptographic hash function, which could be easily attacked with password tables by any motivated individual. 20. Further, given that anyone who had obtained a valid user ID and password combination would be able to log in to the Site to retrieve personal details Page 3 of 7 relating to the respective Ripple Club member, it is apparent that a valid user ID and password combination would be able to identify an individual Ripple Club member. Accordingly, the Commission is of the view that the user IDs and passwords that were leaked would fall within the definition of “personal data” in the Act.2 21. In addition, several of the telephone numbers disclosed in the data list appeared to be personal mobile telephone numbers, which would, by themselves, be able to lead to the identification of the individuals owning the numbers. Similarly, several of the email addresses display, what seems to be, the full names of the respective owners of the email addresses, and appear capable of identifying them. Those telephone numbers and email addresses thereby constitute “personal data” under the Act.3 Personal Data under the Possession and Control of Fei Fah Medical 22. Fei Fah Medical confirmed the fact that the Site was fully owned and administered by it at all material times. The personal data of Fei Fah Medical’s Singaporean users were also generally collected via the Site from Singapore. 23. For completeness, the Commission notes Fei Fah Medical’s statements that: (a) IT Factory, as Fei Fah Medical’s website vendor, was engaged to supply and design the website and to provide maintenance upon request; and (b) the contents collected via the Site were stored in a database hosted at the premises of HKNet Company Limited, a data hosting service provider, on a dedicated server. 24. It is apparent from the information provided by Fei Fah Medical that IT Factory and HKNet Company Limited, as Fei Fah Medical’s vendors, undertook these functions on behalf of Fei Fah Medical. 25. Although Fei Fah Medical initially stated that the leaked data was only accessible by HKNet Company Limited, it subsequently clarified that the data was also accessible at the material time by its backend administration staff (i.e. those who administered the database), and by one of its directors, Mr L. In fact, Fei Fah Medical remained in control of the personal data stored in the database hosted by HKNet Company Limited at all material times, as evidenced by Fei Fah Medical’s instructions to IT Factory to delete all the personal data subsequent to the Data Leak. 26. Accordingly, the Commission is satisfied that, at all material times, the relevant personal data of users of the Site and whose security was compromised as a result of the Data Leak, was in the possession and/or under the control of Fei Fah Medical. Page 4 of 7 Adequacy of Security Arrangements 27. Fei Fah Medical, being an organisation which had its Site users’ personal data under its possession and/or control, is required to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”).4 28. However, Fei Fah Medical was unable to provide any information about the security arrangements that it had put in place to protect either the Site or the server where the database of personal data collected was hosted. 29. Although Fei Fah Medical claimed that it had set up some firewalls within the administration control panel, it was neither able to provide details as to the nature of these firewalls nor any evidence as to their existence in its responses to the NTPs issued by the Commission. 30. In the Commission’s view, the facts demonstrate that, prior to the Data Leak, Fei Fah Medical had made little effort to inquire into and/or ensure the security of personal data stored on the Site. Fei Fah Medical appeared to have little knowledge as to whether there were security measures implemented on its Site or the server where the database of personal data collected was hosted. 31. In light of the foregoing, the Commission is of the view that Fei Fah Medical has failed to make reasonable security arrangements in respect of personal data relating to users of its Site, as required under the Protection Obligation. THE COMMISSION’S DIRECTIONS 32. At the time of this decision, the list of data appears to have been removed from the Pastebin website. 33. In determining the directions to be given to Fei Fah Medical, the Commission has given due consideration to all the relevant factors, including the following: (a) Fei Fah Medical had been neither cooperative nor forthcoming in its responses to the NTPs issued by the Commission as part of its investigations. In this regard, the Commission notes that Fei Fah Medical had provided incomplete responses to the first and second NTPs issued by the Commission, and initially ignored the third NTP issued by the Commission. Fei Fah Medical also took between three weeks to a month to respond to each NTP and its responses were not forthcoming; and (b) although Fei Fah Medical took steps to instruct its Hong Kong-based data intermediary IT Factory to implement remedial actions to address the Data Leak following its discovery on 1 October 2014, it did not ensure that its instructions were carried out by its data intermediary. The data intermediary only implemented remedial actions to address the Data Leak on 30 July 2015, more than ten months after Fei Fah Medical first discovered the Data Leak. This undue delay in Page 5 of 7 implementing the remedial actions suggests a continuing insouciance by Fei Fah Medical with respect to its obligation to make reasonable security arrangements to keep personal data in its possession or under its control protected. 34. Pursuant to section 29(2), and having completed its investigation and assessment of this matter, the Commission is satisfied that Fei Fah Medical has been in breach of the Protection Obligation under section 24 of the PDPA.5 35. The Commission notes from the representations submitted by Fei Fah Medical’s lawyers on its behalf to the Commission that it intends to shut down the Site and replace it with a newly constructed website within 4 months. Having carefully considered all the relevant factors of this case, the Commission hereby directs Fei Fah Medical to do the following: (a) (b) (c) 36. Fei Fah Medical shall within 120 days from the date of the Commission’s direction: (i) implement a new website to replace the Site; (ii) conduct a web application vulnerability scan of the new website; and (iii) patch all vulnerabilities identified by such scan; Fei Fah Medical shall, in addition, submit to the Commission by no later than 14 days after patching all vulnerabilities identified by the abovementioned vulnerability scan, a written update providing details on: (i) the results of the vulnerability scan; and (ii) the measures that were taken by Fei Fah Medical to patch all vulnerabilities identified by the vulnerability scan; and Fei Fah Medical shall pay a financial penalty of S$5,000.00 within 30 days from the date of the Commission’s direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts, shall be payable on the outstanding amount of such financial penalty. The Commission emphasises that it takes a very serious view of any instance of non-compliance under the PDPA and with the Commission’s directions. LEONG KENG THAI CHAIRMAN PERSONAL DATA PROTECTION COMMISSION Page 6 of 7 1 Notice to Require Production of Documents and Information under the Ninth Schedule to the Personal Data Protection Act 2012. 2 Section 2 of the Personal Data Protection Act 2012. 3 Section 2 of the Personal Data Protection Act 2012. 4 Section 24 of the Personal Data Protection Act 2012. 5 The Personal Data Protection Act 2012. Page 7 of 7 ","Financial Penalty, Directions",5fcc9a763e0542a3c0b5b5064e7e18de2255f864,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,237,237,1,952,"Financial penalties of $50,000 and $10,000 were imposed on K Box Entertainment Group (K Box) and its data intermediary, Finantech Holdings, for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of 317,000 K Box members. K Box was also issued directions and penalised for the absence of a Data Protection Officer.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Financial Penalty"", ""Arts, Entertainment and Recreation"", ""Information and Communications"", ""KBOX"", ""FINANTECH""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---k-box-entertainment-(210416).pdf,"Protection, Accountability",Breach of Protection and Openness Obligations by K Box Entertainment Group and Finantech Holdings,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-and-openness-obligations-by-k-box-entertainment-group-and-finantech-holdings,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A100 (1) (2) K BOX ENTERTAINMENT GROUP PTE. LTD. FINANTECH HOLDINGS PTE. LTD. …Respondents Decision Citation: [2016] SGPDPC 1 GROUNDS OF DECISION 20 April 2016 Background 1. K Box Entertainment Group Pte. Ltd. (“K Box”) operates a chain of karaoke outlets in Singapore. Finantech Holdings Pte. Ltd. (“Finantech”) is a third party IT vendor, which is owned and managed by its sole director, [Redacted] (Replaced with Mr G). 2. On 16 September 2014, the website “The Real Singapore” (“TRS”) published a post which indicated that a list containing personal data of about “317,000” K Box members (the “List”) had been disclosed online at http://pastebin.com/bnVhn3mp (“pastebin.com”). 3. The List contained personal data which all customers who sign up for a K Box membership, both before and after 2 July 2014, are required to provide, namely: (a) (b) (c) (d) (e) (f) (g) (h) (i) 4. Name (as per NRIC); NRIC / Passport / FIN number; Mailing Address (Singapore only); Contact number; Email address; Gender; Nationality; Profession; and Date of birth. After receiving complaints from members of the public regarding the data breach, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether 1 there had been a breach by K Box and/or Finantech of their respective obligations under the PDPA. Material Facts and Documents K Box’s relationship with Finantech 5. As at 16 September 2014, K Box had engaged Finantech through the “website revamp contract dated 2012” and the “webhosting and server management contract dated 2009” to develop K Box’s Content Management System (“CMS”) system from the ground up and to revamp, manage and host its website. What the parties referred to as “contracts” were actually quotations sent by Finantech to K Box for their confirmation and acceptance. K Box’s CMS stored and processed the personal data of its members. The CMS system also utilised FCKEditor – a software library component which allowed the user to input formatted text. 6. Mr G of Finantech was the only one who had direct and full access to all the K Box members’ personal data as the sole administrator of K Box’s CMS system. In the past, a former project manager of Finantech, [Redacted] (Replaced with Mrs G], whose role was to help Mr G in managing K Box’s customer data, also had access through the administrative account in the CMS system, i.e. the ‘admin’ account with the password “admin”.1 Mrs G left Finantech on or around 2013. Apart from that, no one else, not even K Box’s IT manager [Redacted] (Replaced with Mr C) or K Box’s Chief Operation Officer, [Redacted] (Replaced with Ms N), had direct access to the database. 7. K Box employees with the title “Captain” and above2 (of which there were about 75 people with such a title) had restricted access to a function that allowed viewing of members’ personal data such as name, package, booking date and time, contact number, members’ number and visit date and time to check and confirm members’ booking. However, they could only view the details of each member one at a time, and not extract the entire members’ list. As such, whenever K Box required members’ personal data with selected criteria for marketing and promotional purposes, they would have to inform Mr G of the data required and he would perform the relevant queries on the database, export the information to an MS Excel document and email the document (unencrypted) via Gmail to K Box’s IT manager, Mr C, who would in turn email the document to K Box’s marketing department via Gmail. During investigations, it was discovered that Finantech had once sent K Box over 90,000 members’ personal data via unencrypted email via Gmail. 2 By its own admission, K Box had never instructed Finantech to password-protect or encrypt emails containing a large volume of personal data prior to 16 September 2014. K Box’s Protection Measures 8. According to K Box, measures that were reasonable and appropriate taking into account “the nature of the K Box’s business (i.e. value for money, family-orientated, karaoke entertainment for everyone) and the fact that the data are non-financial in nature” were adopted with regard to the security of its members’ data. 9. K Box represented that secure server practices such as access controls and data protection policies that were established and observed in the organisation whether before 2 July 2014 or between 2 July 2014 and 16 September 2014 had been put in place since the implementation of its current website to protect individuals’ personal data. In addition, K Box represented that before 16 September 2014, employees were required to set alphanumeric passwords consisting of eight alphabets/numbers, one capital and one special case in accordance with K Box’s password policy. However, Mr C admitted that K Box did not “conduct audit on whether the staff really use eight numbers/letters alphanumeric, one capital and one special case password (sic.)” and Mr G had noted a receptionist using a one-letter password in the past. A software system “to force employees to adopt passwords that adhered to the KBox’s password policy (sic.)” was only implemented in November 2014. 10. Although K Box had outsourced its website maintenance, which includes maintenance of its backend CMS, and web hosting of its website to Finantech (“Services”), K Box represented that Finantech agreed and undertook that it would keep K Box’s data confidential as it was a term in their agreements. K Box had also held regular meetings with Mr G/Finantech on all aspects of the Services including any IT security concerns and Finantech would not conduct any major works or modification to the Services without first consulting K Box. K Box had “no reason to doubt” the competence or integrity of Finantech or that Finantech would not comply with the security measures and undertaking. However, by Finantech’s own admission, Finantech did not do any system monitoring in terms of IT security, security testing or regular IT security audits at the time of the breach and prior to 17 September 2014. 11. K Box had also represented that it did not have a Data Protection Officer (“DPO”) since 2 July 2014 to 20 April 2015 and conceded that its privacy 3 policy prior to 16 September 2014 was not comprehensive. While each employee’s employment contract contains a term to keep all information relating to the operations of K Box confidential, there was no policy and physical or online security system in place to monitor whether a staff removed personal data from its premises. 12. In this connection, the “contracts” between K Box and Finantech did not include any contractual clauses that required Finantech to comply with a standard of protection in relation to the personal data transferred to it that is at least comparable to industry standards. According to Finantech’s representations, K Box had also never emphasised the need for data protection and their obligation towards K Box under the PDPA or informed Finantech of its data protection obligation after September 2014. Mr G had also represented that while he was aware of the existence of the PDPA, he was not aware of the specifics of it. The List 13. On 16 September 2014, the same day that TRS published the post mentioned at paragraph 2 above, K Box’s management realised, via the “Social Media, employees and The Real Singapore website”, that K Box members’ personal data had been uploaded on pastebin.com. Mr C had also received a call on his mobile phone from an unknown person to inform him that TRS had “posted information of K Box members” and to ask him to verify whether the information belonged to its members. Mr G investigated the breach by matching the disclosed personal data in the List with the information of K Box’s members from its database and confirmed that the List matched the one in K Box’s database. Thereafter, K Box notified its members of the data breach by way of a letter dated 16 September 2014 that was published online on the K Box homepage. 14. The next day, 17 September 2014, Mr C “deleted all the accounts of the staff who left (sic.)” and the unauthorised ‘admin’ account with the weak password “admin” was “deactivated”, “disabled” and the “password to the account was changed”. The CMS user activity log showed that Mr C had removed 36 accounts on 17 September 2014. No Conclusive Evidence that Data Breach Occurred Before 2 July 2014 15. Although the List was uploaded on pastebin.com on 16 September 2014, the List only contained members’ data up to 23 April 2014. There is no evidence available to conclusively ascertain when the List was obtained. 4 16. Based on Finantech’s initial investigation on the day the List was published, Finantech deduced that the List containing the personal data of K Box members could have been obtained by the cyber-attacker on or around 23 April 2014 for the following reasons: (a) The List stopped at the member record that was created on 23 April 2014 at 5.43am; (b) The CMS’s “user activity 2014.csv” (“User Activity Log File”) recorded that someone had logged in using the ‘admin’ account on 23 April 2014 at 9.59am; (c) A new member record was created on 23 April 2014 at 12.17pm but this was not included in the List; and (d) Subsequent member records created after 23 April 2014 were also not included in the List. 17. The User Activity Log File recorded that the user of the ‘admin’ account had logged in on 23 April 2014. The ‘admin’ user account was the account used by Finantech’s former employee, Mrs G. However, given that Mrs G had already left Finantech on or around 2013 and there was no evidence to suggest that she had been remotely accessing the ‘admin’ account, any use of this account after Mrs G had left Finantech would likely have been unauthorised and could be taken to be done by the cyber-attacker. 18. While it is possible that the data breach occurred on or around 23 April 2014, as there was evidence of unauthorised access to K Box’s CMS system in April 2014 or even earlier in 2013, the Commission is of the view that further data breaches could also have occurred in the following months until the new CMS was put in place in November 2014 for the following reasons: (a) The message “Remote session from client name a exceeded the maximum allowed failed logon attempts (sic.). The session was forcibly terminated”, indicating that more than 240 attempts were made in a single day, appeared frequently in the operating system log (“System Log”). The frequency of these messages may indicate unsuccessful attempts to hack into the operating system. The messages started appearing as early as October 2012 and continued until the latest parts of the log file in September 2014; and 5 (b) Finantech itself noted that the System Log showed that the “[unauthorised user of the ‘admin’ account] was used to login a number of times after the breach. However, there was no indication that he had modified any user data.” The Commission has reviewed the System Log and the unauthorised user of the ‘admin’ account had performed about 83 logins in the period from 25 February 2014 to 16 September 2014, and about 15 logins in the entire calendar year 2013. Probable Cause of Breach 19. While the List only contains members’ data up to 23 April 2014, given the number of times the unauthorised user of the ‘admin’ account had logged in to K Box’s CMS system, it is possible that the cyber-attacker had accessed K Box’s CMS system after 2 July 2014 when the data protection provisions in the PDPA came into effect, but chose to publish the List reflecting the members’ list as at 23 April 2014. 20. Finantech had hypothesised that someone hacked into K Box’s CMS using the ‘admin’ user account with ‘admin’ password and planted a malware control and command centre to retrieve and export the members’ data. K Box similarly represented that Mr G had informed Mr C that the breach occurred because “he suspected someone used admin user account with the password also admin to login (sic.)” and “[Redacted] (Mr G) told me there was a Trojan in the hosting server and he suspected that was how the leak occurred (sic.)”. 21. While the System Log showed unauthorised usage of the ‘admin’ user account in 2014 and files detected as malware were found in the CMS folder, the Commission has not been able to conclusively verify Finantech’s hypothesis even after analysing the User Activity Log File and System Log. Nonetheless, the Commission considers that the ‘admin’ user account, which had a weak password “admin” was one of the possible ways that the data breach could have occurred. 22. Having reviewed the relevant facts and circumstances, including the statements and representations made by K Box and Finantech, the Commission has completed its investigation into the matter, and sets out its findings and assessment herein. 6 THE COMMISSION’S FINDINGS AND ASSESSMENT Issues for Determination 23. The issues to be determined in the present case are as follows: (A) Whether K Box had breached its obligation under section 24 of the PDPA (the “Protection Obligation”); (B) Whether K Box had breached its obligation under sections 11 and 12 of the PDPA (the “Openness Obligation”), specifically, sections 11(3) and 12(a), for failure to appoint a DPO and put in place privacy policies and practices in contravention of those sections of the PDPA; (C) Whether Finantech is a data intermediary of K Box; and (D) Whether Finantech had breached the Protection Obligation. Issue A: Whether K Box had breached the Protection Obligation 24. Section 24 of the PDPA states: “Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.” 25. Pursuant to section 24 of the PDPA, K Box, being an organisation which had its members’ personal data under its possession and/or control, is required to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risk. The Protection Obligation applies equally to all personal data in the possession or under the control of the organisation, including personal data that the organisation may have collected before 2 July 2014, when the data protection provisions under Parts III to VI of the PDPA came into effect. 26. Following a careful assessment of the relevant facts and circumstances, the Commission is of the view that K Box had not discharged the Protection Obligation under section 24 of the PDPA. There are sufficient grounds (whether each on its own or altogether) to show that K Box failed to make reasonable security arrangements to protect the personal 7 data in its possession or under its control from 2 July 2014 to November 2014. In particular, the Commission has identified the following vulnerabilities in K Box’s security arrangements which show how K Box failed to make reasonable security arrangements to protect the members’ personal data: (a) (b) K Box could have, but failed to enforce its password policy, at least between 2 July 2014 and November 2014, thereby permitting the use of weak passwords: (i) As noted at paragraph 9 above, K Box did not “conduct audit on whether the staff really use eight numbers/letters alphanumeric, one capital and one special case password (sic.)”; and (ii) Even though it is a common industry practice to implement an organisation’s password policy in its system, K Box had not done so earlier and the feature where the system would enforce the password policy by rejecting passwords that did not meet the password policy was only built into the CMS system in November 2014. K Box had weak control over unused accounts, specifically, unused accounts were not removed: (i) As stated at paragraph 14 above, as many as 36 accounts were removed from the CMS system on 17 September 2014, which suggests that K Box may not have had the practice of deleting the accounts of staff that had left the company until it conducted the review on 17 September 2014. This is despite the fact that K Box was able to remove the unused accounts within a day after the List had been disclosed online which shows that K Box could have easily removed the unused CMS accounts earlier but it had failed to do so; (ii) As a result of K Box and/or Finantech’s failure to promptly remove unused accounts from the CMS system, the unused administrative CMS account with the user name ‘admin’ and a weak password of ‘admin’ remained in the CMS for about one year after Mrs G had left Finantech. This had put the personal data of K Box’s members at risk because as noted at paragraph 20 above, Finantech itself had hypothesised that someone could have hacked into K 8 Box’s CMS using this ‘admin’ user account and planted a malware control and command centre to retrieve and export the members’ data.; and (iii) (c) 27. Further, as noted at paragraph 18 above, there was evidence of multiple unauthorised accesses to the CMS system through this ‘admin’ user account in 2013 and between 25 February 2014 and 16 September 2014. As such, it is possible that K Box members’ personal data could have been further compromised through this ‘admin’ user account between 2 July 2014 and 16 September 2014 as a result of the failure to remove the unused administrative account. K Box failed to utilise newer versions of the software library and/or to conduct audits of the security of its database and system: (i) K Box’s CMS system utilised an older version of the FCKEditor which according to security vulnerability website CVE, had at least 9 known vulnerabilities which would have allowed cyber-attackers to install remote shells and execute malicious codes and to execute such codes to extract the full member list from the database. Even though this vulnerability could have been prevented by utilising newer versions of the software library or by patching, Finantech, whose role was to manage the CMS system, had failed to do either; and (ii) K Box had also failed to conduct audits to supervise the security of its database and system. As noted at paragraph 10 above, Finantech admitted that it did not carry out any system monitoring in terms of IT security, security testing or regular IT security audits at the time of the breach and prior to 17 September 2014. K Box’s weak enforcement of their password policy and weak control of unused accounts and passwords alone could have enabled an attacker to gain access to substantial personal data simply through the CMS system. Furthermore, K Box’s use of vulnerable software could have allowed the attacker to gain access to the system beyond the CMS limitations and to perform direct access to all data from K Box’s database and potentially misuse the personal data. 9 28. The vulnerabilities set out above demonstrate that K Box could have done more to protect the members’ personal data that was in its possession or under its control. When viewed in totality, the Commission is of the view that K Box had failed to make reasonable security arrangements to protect the members’ personal data because these vulnerabilities were preventable and were likely the main reasons for the data breach and subsequent disclosure of the List on 16 September 2014. In this regard, while K Box had outsourced the developing, hosting and managing of its CMS system to Finantech, it was still the data controller and was ultimately responsible for the security of the CMS system. 29. Apart from the system-related shortcomings highlighted above, investigations disclosed that there was also poor practises. (a) Emails containing large volume of personal data were sent via Gmail without any password-protection or encryption: (i) (b) Even though the unauthorised access to the personal data of about “317,000” K Box members was not caused by a breach that was the result of the use of unencrypted emails, as noted at paragraph 7 above, Finantech had previously sent K Box over 90,000 members’ personal data via unencrypted email via Gmail. The practice of sending large volumes of members’ personal data via unencrypted email is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data. The better practice would have been for Finantech to encrypt or to ensure that the MS Excel document containing the list of members’ personal data was password protected before sending it to K Box.3 K Box failed to effectively manage its vendor (Finantech) to ensure that they undertook adequate measures to protect members’ personal data: (i) For the reasons stated at paragraphs 33 and 34 below, the Commission finds that Finantech is a data intermediary of K Box and pursuant to section 4(3) of the PDPA, K Box has the same obligations in respect of the personal data processed on its behalf and for its purpose by Finantech as if the personal data were processed by K Box itself. As highlighted in the Commission’s Advisory Guidelines on 10 Key Concepts in the PDPA issued on 23 September 2013 (at paragraph 6.21) that: “… it is very important that an organisation is clear as to its rights and obligations when dealing with another organisation and, where appropriate, include provisions in their written contracts to clearly set out each organisation’s responsibilities and liabilities in relation to the personal data in question including whether one organisation is to process personal data on behalf of and for the purposes of the other organisation.” [Emphasis added.]; and (ii) 30. However, as noted at paragraph 12 above, K Box failed to ensure that its data intermediary, Finantech, complied with a standard of protection in relation to the personal data transferred to it that is at least comparable to industry standards through its agreements and in its interactions with Finantech. On the facts of the case and the assessment conducted, the Commission finds that both K Box and Finantech did not put in place adequate IT security arrangements between 2 July 2014 and November 2014, prior to the implementation of the new CMS system in November 2014. Issue B: Whether K Box had breached the Openness Obligation 31. Sections 11 and 12 of the PDPA together constitute the Openness Obligation under the PDPA, which provides that an organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available. In particular, section 11(3) of the PDPA provides that an organisation shall designate one or more individuals, a DPO, to be responsible for ensuring that the organisation complies with the PDPA. In the same vein, section 12(a) of the PDPA requires organisations to develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisations under the PDPA. 32. Based on investigations and representations made by K Box, the Commission is not satisfied that K Box has complied with the Openness 11 Obligation under sections 11(3) and 12(a) of the PDPA. To begin with, as noted at paragraph 11 above, K Box conceded in its representations that it did not have a comprehensive privacy policy prior to 16 September 2014. By K Box’s own admission, as there was no policy and physical or online security system in place to monitor whether a staff removed personal data from its premises, a K Box staff could have simply copied the member’s list it received from Finantech and abused that list. In addition, K Box had also represented that it did not have a DPO. In fact, to date, it is unclear whether K Box has appointed a DPO because Mr C represented that K Box was in the midst of appointing a DPO even as late as 20 April 2015 when he gave his statement to the Commission. In light of the foregoing lapses, the Commission finds that K Box has been in breach of the Openness Obligation. Issue C: Whether Finantech is a data intermediary of K Box 33. Under section 2(1) of the PDPA, a “data intermediary” is an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. The term “processing” in relation to personal data means the carrying out of any operation or set of operations in relation to the personal data and includes, but is not limited to, any of the following: recording; holding; organisation, adaptation or alteration; retrieval; combination; transmission; erasure or destruction.4 Section 4(2) of the PDPA confers on a data intermediary the obligation to protect personal data under section 24 of the PDPA and the obligation to cease to retain personal data under section 25 of the PDPA. Save for the aforementioned obligations, Parts III to VI of the PDPA do not impose any other obligations on the data intermediary. 34. Having considered the facts and the representations made by K Box and Finantech, the Commission is satisfied that Finantech is a data intermediary of K Box. The fact that (i) K Box employees, including K Box’s IT manager and the Chief Operating Officer, only had restricted access to the information of members, and (ii) K Box relied on Mr G to extract and send them members’ personal data with selected criteria from the database clearly shows that in practice, Finantech processed (by having access to, storing and retrieving) all personal data of K Box’s customers pursuant to the arrangement between Finantech and K Box. 35. Notwithstanding that the “contracts”, which were in fact quotations sent by Finantech to K Box for their confirmation and acceptance, pre-date the commencement of the data protection provisions of the PDPA and do not identify Finantech as a data intermediary of K Box, in light of the 12 above practices which continued after the commencement of the data protection provisions, the Commission finds that Finantech is a data intermediary of K Box for the purposes of the PDPA. Issue D: Whether Finantech had breached the Protection Obligation 36. Section 24 read with section 4(2) of the PDPA confers an obligation on the data intermediary to “[make] reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”. In view of the Commission’s finding that Finantech is a data intermediary of K Box, Finantech is required to comply with the obligation under section 24 of the PDPA to protect the personal data that it was processing on behalf of K Box. 37. In this regard, on the facts and circumstances, the Commission is of the view that Finantech had failed to put in place the required security measures that K Box needed in order to provide adequate protection for the personal data in K Box’s database and system. In particular, the Commission notes that Finantech had been involved in the setting up and day-to-day processing of K Box’s personal databases from 2007. By dint of its role and function, Finantech is expected to up hold a certain basic professional standard and the vulnerabilities identified at paragraphs 26 to 29 above show that Finantech had not undertaken due diligence in executing its role. Finantech’s failures had led to multiple unauthorised accesses and Finantech had put the personal data of K Box’s members at risk. 38. If Finantech had advised K Box on its obligations but K Box had rejected their advice, the Commission could have taken this into account in its assessment of Finantech’s culpability. However, investigations did not disclose any evidence to suggest that Finantech had actually advised K Box of the need to have in place adequate security measures to protect the personal data in K Box’s database. In fact, as stated at paragraph 12 above, Mr G admitted that he was only aware of the existence of the PDPA but not the specifics. 39. In view of all the relevant facts and circumstances, the Commission is not satisfied that Finantech has complied with the Protection Obligation under section 24 of the PDPA. THE COMMISSION’S DIRECTIONS 40. Under section 29(1) of the PDPA, the Commission may, “if it is satisfied that an organisation is not complying with any provision in Parts III to VI 13 of the Act, give the organisation such directions as the Commission thinks fit in the circumstances to ensure compliance with that provision.” Section 29(2) of the PDPA also empowers the Commission to make all or any of the following directions: (a) To stop collecting, using or disclosing personal data in contravention of this Act; (b) To destroy personal data collected in contravention of this Act; (c) To comply with any direction of the Commission under section 28(2) of the Act; and (d) To pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. Other Factors Considered 41. In assessing the breach and the remedial directions to be imposed, the Commission took into consideration various factors relating to the case, including the mitigating and aggravating factors set out below. K Box’s Breach of the Protection Obligation and the Openness Obligation 42. In relation to K Box’s breach of the Protection Obligation and the Openness Obligation, the Commission took into account the following factors: (a) The remedial actions undertaken by K Box were fair and prompt when they discovered the data breach in September 2014; (b) Most of the remedial actions were taken either in September or November 2014; (c) The Commission found no evidence to suggest that the data breach was due to actions taken by K Box staff, through the CMS system; (d) A fairly large amount of personal data (approximately “317,000” K Box members or more) had been disclosed as a result of the lack of security. The personal data comprising their full names, contact numbers, email addresses, residential addresses, contact numbers, gender, profession, date of birth, and member number were sensitive data because it could have led to identify theft; 14 (e) K Box (as the primary data owner) had disregarded its obligations under the PDPA. K Box had ample opportunities to put in place reasonable security measures from 2 January 2013 to 2 July 2014 but it did not do so. K Box had also failed to appoint a DPO or put in place privacy policies or practices as late as April 2015. K Box had also failed to put in place data protection terms and conditions in its contract with Finantech, and instructed it (as the main data processor of K Box members’ personal data) to protect personal data; and (f) K Box was not forthcoming in providing information during the investigation. They had only provided bare facts in their responses during the investigations, which did not facilitate the Commission’s investigations. Finantech’s breach of the Protection Obligation 43. In relation to Finantech’s breach of the Protection Obligation, the following factors were taken into consideration: (a) The remedial actions undertaken by Finantech were fair and prompt when they discovered the data breach in September 2014; (b) Most of the remedial actions were taken either in September or November 2014; (c) A fairly large amount of personal data (approximately “317,000” K Box members or more) had been put at risk as a result of the lack of security. The personal data comprising their full names, contact numbers, email addresses, residential addresses, contact numbers, gender, profession, date of birth, and member number were sensitive data because it could have led to identify theft; (d) Finantech as the data intermediary had disregarded its obligations under the PDPA. Finantech had ample opportunities to put in place reasonable security measures from 2 January 2013 to 2 July 2014 but it did not. There was no evidence to show that Finantech had advised K Box on the reasonable security measures that the owner of an online system ought to implement in order to protect personal data held by the system; and (e) Finantech appeared not to be forthcoming in providing information during the investigation. Although the Notices to Require Production of Documents and Information under the Ninth 15 Schedule of the PDPA (“NTPs”) were sent to Finantech as early as October 2014, Finantech’s responses to these NTPs were only provided in April 2015 – almost seven months after the NTPs were first issued. This delayed the investigation process. 44. 45. Having completed its investigation and assessment of this matter, the Commission is satisfied that K Box has been in breach of the Protection Obligation under section 24 of the PDPA and the Openness Obligation under sections 11(3) and 12(a) of the PDPA for the reasons cited in paragraphs 26 to 28 and paragraph 31 above. Pursuant to section 29(2) of the PDPA, the Commission hereby directs K Box to do as follows: (a) Pay a financial penalty of $50,000 within 30 days from the date of the Commission’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall be payable on the outstanding amount of such financial penalty; and (b) Appoint a DPO within 30 days from the date of the Commission’s direction (if it has not already done so). The Commission is also satisfied that Finantech has not complied with the Protection Obligation under section 24 of the Act for the reasons cited in paragraphs 33, 34, 36 and 37 above. Pursuant to section 29(2) of the PDPA, the Commission hereby directs Finantech to do as follows: (a) 46. Pay a financial penalty of $10,000 within 30 days from the date of the Commission’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall be payable on the outstanding amount of such financial penalty. The Commission emphasises that it takes a very serious view of any instance of non-compliance under the PDPA and with the Commission’s directions. LEONG KENG THAI CHAIRMAN PERSONAL DATA PROTECTION COMMISSION 16 1 Mr G was the only employee at the material time of Finantech. Mrs G was the only person assisting Mr G in the past. 2 Captain is the supervisor of the service crews and his or her role is to access the customers’ information to check their booking. 3 See paragraph 14.3 of the PDPC’s Guide to Securing Personal Data in Electronic Medium issued on 8 May 2015. 4 See section 2(1) of the PDPA. 17 ","Financial Penalty, Financial Penalty",0f17cc82606ea4b02faecc4e12ee601c188e3db7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,238,238,1,952,"A financial penalty of $10,000 was imposed and directions issued to the Institution of Engineers, Singapore for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of more than 4,000 members.","[""Protection"", ""Financial Penalty"", ""Directions"", ""General (eg. Chamber of Commerce)"", ""IES""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---institute-of-engineers-singapore-(210416).pdf,Protection,"Breach of Protection Obligation by Institution of Engineers, Singapore",https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-institution-of-engineers--singapore,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A213 THE INSTITUTION OF ENGINEERS SINGAPORE …Respondent Decision Citation: [2016] SGPDPC 2 GROUNDS OF DECISION 20 April 2016 Background 1. The Institution of Engineers Singapore (UEN S66SS0041B) (“IES”) is a society registered with the Registry of Societies. IES was formally established on July 1966 as the national society of engineers in Singapore. Its functions include the accreditation of engineering academic programmes (through its Engineering Accreditation Board); the maintenance of professional registries; and the promotion of social, business, professional, and career development amongst engineers in Singapore. The IES Website 2. IES operates a website at www.ies.org.sg (“Site”), which consists of both publicly-accessible pages, and a members’ portal, accessible only by members of IES, upon logging into the portal with their respective user identifications (“IDs”) and passwords. The Site also allows members of the public, who are non-IES members, to create an account on the Site in order to login to access and post on the Site’s forums. 3. According to information provided by IES, the functions of the Site include: (a) enabling members to update their membership details such as addresses, emails and contact information; (b) applying for courses and events that are created by IES; (c) applying for email abc@ies.org.sg; (d) payment for membership and courses via PayPal; (e) accessing webmail; (f) allowing members to search for information about other members; addresses with CONFIDENTIAL ies.org.sg domain, e.g., Page 1 of 9 4. (g) publishing information on IES events, courses, seminars, job listings, and information on various registries (e.g., ABC Waters Professional Registry and others); (h) applying for IES membership; and (i) accessing IES forums. Members of IES who log in to the Site using their membership user IDs are able to access certain dedicated membership Site functions, including receipt of ad hoc AGM notices, quick poll functions, profile updates, and change of passwords. Data Leak Incident 5. On 1 October 2014, the Personal Data Protection Commission (“Commission”) was informed that the information of users of the Site had been posted on http://pastebin.com (“Pastebin”), a website which allows members of the public to post and share information online (the “Data Leak”). 6. The relevant information was ostensibly uploaded onto the Pastebin website by a Pastebin user with the username “KAMI_HAXOR”, in the form of two posts in plain text that could be publicly viewed by any visitor to the Pastebin website. The two posts were dated 30 September 2014 and were respectively captioned: (a) “IES.ORG.SG 6,000+ Usersnames + pass Leaked by KaMi HaX” (the “User ID List”); and (b) “Ies.org.sg 60,000+ Users Data Leaked by KaMi HaXor” (the “Additional List”). 7. The User ID List was titled “The Institution of Engineers Singapore 6000= [sic.] users , 90,000+ Mobiles leaked By KaMi HaXor… Target= http://www.ies.org.sg/”, and contained a list of characters separated with a colon, in the format “XXXX:XXXX”, which was labelled “MemberId:Pass”. 8. The Additional List was titled “The Institution of Engineers Singapore 60,000+ Mobiles leaked By KaMi HaXor… Target= http://www.ies.org.sg/”, and contained a list of eight-digit numbers that were consistent with the format of Singapore telephone numbers. 9. In light of the information received, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (No. 26 of 2012) (the “Act”) to ascertain whether there had been a breach by IES of its obligations under the Act. CONFIDENTIAL Page 2 of 9 Nature of the Data Leak Incident 10. IES informed the Commission that the passwords and IDs in the User ID List were those of IES members and that it was made aware of the Data Leak by one Nicholas Lee, who had written to IES on 1 October 2014 at 10.13 am, to inform IES about the Data Leak. 11. IES also provided the Commission with a copy of a Site audit report which was conducted by its website vendor, Forecepts Pte. Ltd. (“Forecepts”), using Acunetix software, in the aftermath of the Data Leak. The report, titled “Acutenix Website Audit Developer Report”, dated 3 November 2014 (“1st Scan Report”) indicated a number of vulnerabilities with the Site, including 48 high-severity vulnerabilities in the Site set out below: High-Severity Type Vulnerability Identified Blind SQL Injection Cross site scripting Cross site scripting (verified) Cross site scripting [stored] (verified) FCKeditor spellchecker.php cross site scripting vulnerability HTML Form found in redirect page [high severity] jQuery Cross Site Scripting PHP allow_url_fopen enabled Variation 1 8 30 1 2 4 1 1 12. Forecepts suspected that the attack on the Site was likely to have been caused by cross-site scripting but was unable to confirm this. In any case, the Commission notes that cross-site scripting was identified in the 1st Scan Report as a high-severity vulnerability that existed in the Site. 13. In relation to the number of individuals affected by the Data Leak, the Commission notes that the titles of the User ID List and the Additional List respectively indicate that the data of more than 6,000 users had been disclosed in the User ID List, and that the data of more than 60,000 users had been disclosed in the Additional List. However, IES submitted that it was unable to identify the total number of IES members which were affected by the Data Leak, as the “data published online are in random”. 14. At the time of this decision, both the User ID List and the Additional List appear to have been removed from the Pastebin website. 15. Having reviewed the relevant facts and circumstances, including the written responses to the NTPs submitted by IES, the Commission sets out below its findings and assessment in relation to the Data Leak. CONFIDENTIAL Page 3 of 9 THE COMMISSION’S FINDINGS AND ASSESSMENT Personal Data Leaked 16. “Personal data” is defined under section 2 of the Act, as follows: “‘personal data’ means data, whether true or not, about an individual who can be identified – (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.” 17. As noted above, IES admitted that the passwords and IDs in the User ID List belonged to its members. According to publicly-available information on the Site, IES’s membership comprises both individuals and organisations. Organisation members may be represented in IES by up to two individuals from the organisation. Individuals who are not part of any organisation can also join as members of IES with the relevant engineering qualifications. 18. IES also acknowledged that the personal data of its members was stored in its web server and could be retrieved using the members’ respective user IDs and passwords. In particular, IES stated that “personal data such as Member ID, Name, Contact, Email and Address were stored in the database in www.ies.org.sg.” 19. In light of the foregoing, it is clear that the person or persons who had obtained and posted the User ID List on the Pastebin website in the first place, as well as any member of the public who came across the User ID List on the Pastebin website, could have used the IDs and passwords disclosed to log in to the accounts of individual and organisation members (represented by their nominated employees) on the Site, and thereby access personal data relating to these members that was stored on the Site. 20. Furthermore, given that anyone who had obtained a valid user ID and password combination would have been able to log in to the Site to retrieve personal details relating to the respective IES member, the Commission is of the view that anyone with a valid user ID and password combination would effectively be able to access the entire profile of an IES member and identify him or her. Accordingly, the Commission is of the view that the user IDs and passwords that were leaked would fall within the definition of “personal data” under the Act. 21. The Commission notes that IES had taken the view that the possibility of any individual using the information in the User ID List to access the personal data in IES’s webserver was remote as the listing of user IDs and passwords were “random, unrelated and unlinked”. IES was also of the view that it was unlikely that the person or persons who had obtained and posted the User ID List on the Pastebin website had used the IDs and passwords displayed to log in to CONFIDENTIAL Page 4 of 9 the accounts of its members on the Site to access personal data stored on the Site “or he would have placed the relevant information in a different (database) format” (sic). 22. The Commission disagrees with the views expressed by IES. The risk of access by any individual using the user IDs and passwords combination in the User ID List is not remote. The User ID list is effectively a dictionary of valid user IDs and passwords that can be used in a dictionary attack. With automatic scripting, an individual can log in to any IES member’s account notwithstanding that the manner in which the user IDs and passwords had been presented in the list appeared “random, unrelated and unlinked”. Indeed, the Commission cannot exclude the possibility that the person or persons who had obtained and posted the User ID List on the Pastebin website may have already done so notwithstanding the lack of complaints of abuse of personal data from IES members thus far. 23. Accordingly, it is clear that, as a result of the Data Leak, the security of personal data relating to IES members was compromised as such personal data could have been accessed by one or more unauthorised persons with knowledge of the leaked user IDs and passwords. Personal Data under the Possession and Control of IES 24. The Commission notes that, at all material times, the Site was fully owned and administered by IES. For completeness, the Commission also notes that although IES had engaged two vendors for the Site, these vendors undertook their respective functions on behalf of IES and did not own or administer the Site: (a) Forecepts, as IES’s website vendor, was engaged to supply and design the website design and Content Management System. Forecepts was also engaged to provide maintenance to the Site, but only upon request by IES; and (b) the Site was hosted at the premises of ReadySpace (SG) Pte Ltd (“ReadySpace”), IES’s hosting service provider, on a dedicated server. 25. Further, the Commission’s investigations found that there were four individuals within IES who could access the list of member IDs and passwords and personal data relating to IES members. These were IES’s IT manager, IT executive, membership manager, and membership executive. 26. Accordingly, the Commission is satisfied that, at all material times, the relevant personal data of IES members, which was stored on the Site and whose security was compromised as a result of the Data Leak, was in the possession and/or under the control of IES. CONFIDENTIAL Page 5 of 9 Adequacy of Security Arrangements 27. Section 24 of the Act states: “Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.” 28. Pursuant to section 24 of the Act, IES, being an organisation which had its members’ personal data under its possession and/or control, is required to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). 29. IES informed the Commission that it had put in place the following security measures at the material time: 30. (a) the Site’s server was hosted in a secure site and in a dedicated server, and protected by a firewall and anti-virus software (namely, Parallels Plesk Panel 11.0.9); (b) software updates had been performed on the Parallels Plesk Panel 11.0.9 firewall and anti-virus software; and (c) a list of user IDs and passwords relating to the IES members could be extracted from the members’ portal and saved; however such a function could only be performed by the four individuals within IES who could access the list of member IDs and passwords (namely, IES’s IT manager, IT executive, membership manager, and member executive). Forecepts was also authorised to access such a function for the purposes of maintaining, troubleshooting, and updating the Site. However, from the Commission’s investigations, it was also apparent that: (a) the Site had not provided for the encrypted storage of member passwords; (b) prior to the Data Leak, no audit had been conducted on ReadySpace’s enterprise hosting services and/or the security of the Site; (c) IES had not conducted any penetration testing on the Site, and was not aware of penetration testing software; and (d) while IES represented that it had made phone calls to its vendors ReadySpace and Forecepts to inform them about the Act, there was no indication that IES had otherwise given instructions to its vendors to make security arrangements so as to ensure that personal data stored CONFIDENTIAL Page 6 of 9 in the Site would be protected in compliance with IES’s obligations under the Act. Furthermore, the contractual terms between IES and its vendors, as submitted by IES, did not appear to contain any specific security arrangements or requirements for its vendors to put in place security measures to safeguard IES members’ personal data stored in the Site. 31. In addition, as already mentioned earlier, the 1st Scan Report by Forecepts following the Data Leak indicated that there existed a number of vulnerabilities with the Site, including 48 high-severity vulnerabilities such as cross-site scripting and SQL injections. 32. Cross-site scripting is a common web vulnerability, which could have been easily detected by performing a vulnerability scan, such as the one performed by Forecepts after the Data Leak. Once identified, the vulnerabilities can be patched according to the many guides that are readily available on the Internet. The conduct of vulnerability scans using automated tools like Acunetix is considered industry best practice. 33. In this case, IES acknowledged that it had not undertaken any sort of audit to detect security vulnerabilities on the Site. IES had also not demonstrated that it had made any effort to require its vendors to evaluate and/or ensure the security of personal data stored on the Site. 34. While the Site may have had a firewall and anti-virus software in place, these measures alone were clearly inadequate to reasonably ensure the security of personal data stored in the Site, as the firewall and anti-virus software would not protect against common vulnerabilities such as cross-site scripting. This would have been apparent, and indeed was made apparent, by a vulnerability scan such as the one conducted by Forecepts after the Data Leak. 35. From the above, it would appear that prior to the Data Leak, IES had made insufficient effort to inquire into and/or ensure the security of personal data stored on the Site. As a result, numerous security vulnerabilities existed in the Site at the time of the Data Leak, which could have been reasonably detected and patched by available means. 36. In light of the foregoing, the Commission is of the view that IES has failed to make reasonable security arrangements in respect of personal data relating to its members, as required under the Protection Obligation. THE COMMISSION’S DIRECTIONS 37. In its representations to the Commission, IES took the position that it was a small organisation that had relied on external specialists for security related advice and hence should not be heavily penalised for any breaches of the data protection provisions. IES was of the view that its external specialists had not advised any actions on possible areas of protection and/or detection until the breach to the Site occurred. CONFIDENTIAL Page 7 of 9 38. However, the Commission notes that IES’ claims regarding its reliance on external specialists were not borne out by the investigations. Further, IES, as an organisation with several thousand members, cannot be described as “a small organisation”. 39. In determining the directions to be given to IES, the Commission has given due consideration to all the relevant factors, including the following: (a) IES was cooperative and forthcoming throughout the Commission’s investigation; (b) following its discovery of the Data Leak on 1 October 2014, IES promptly took the following measures to manage the effects of the Data Leak: (c) (d) (i) disabling of the members’ portal on the Site; (ii) changing of the passwords for all IES members’ accounts, and resetting of the passwords for its administrator accounts in the members’ portal; (iii) on 2 October 2014, IES sent an email notification to all IES members, informing them of the “hacking activity” on the Site, as well as the measures (listed in (i) and (ii) of this paragraph 43(b)) IES had taken to minimise damage; and (iv) removal of the telephone numbers and addresses of IES members previously stored on the database of the Site; following the Data Leak, IES implemented the following additional security measures: (i) instructed Forecepts to conduct a security audit of the Site and to patch up any vulnerabilities detected pursuant to such audit, and to conduct a monthly audit on the Site upon completion of the security hardening process; (ii) installation of a new intrusion detection system, along with endpoint protection in the Site’s server; and (iii) installation of Secure Sockets Layer (“SSL”) certification in the Site’s server; and the high-severity vulnerabilities identified in the 1st Scan Report pursuant to Forecepts’ audit of the Site appear, from the Acunetix Website Audit Developer Report dated 12 January 2015, which was provided by IES to the Commission, (“2nd Scan Report”), to have been patched by Forecepts. CONFIDENTIAL Page 8 of 9 40. Pursuant to section 29(2), and having completed its investigations and assessment of this matter, the Commission is satisfied that IES was in breach of the Protection Obligation under section 24 of the PDPA. Having carefully considered all the relevant factors of this case, the Commission hereby directs IES to do the following: (a) (b) (c) 41. IES shall within 60 days from the date of the Commission’s direction: (i) conduct a further vulnerability scan of the Site; and (ii) patch all vulnerabilities identified by such scan; IES shall, in addition, submit to the Commission by no later than 14 days after the conduct of the abovementioned vulnerability scan, a written update providing details on: (i) the results of the vulnerability scan; and (ii) the measures that were taken by IES to patch all vulnerabilities identified by the vulnerability scan; and IES shall pay a financial penalty of S$10,000.00 within 30 days from the date of the Commission’s direction, failing which interest shall be payable on the outstanding amount of such financial penalty. The Commission emphasises that it takes a very serious view of any instance of non-compliance under the PDPA and with the Commission’s directions. LEONG KENG THAI CHAIRMAN PERSONAL DATA PROTECTION COMMISSION CONFIDENTIAL Page 9 of 9 ","Financial Penalty, Directions",5e4c42b6a1aec075b5207d0eb67aa18523a6767e,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,239,239,1,952,A warning was issued to Metro for failing to make reasonable security arrangements to prevent unauthorised access to personal data held in Metro’s IT systems.,"[""Protection"", ""Warning"", ""Wholesale and Retail Trade"", ""METRO""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---metro-(210416).pdf,Protection,Breach of Protection Obligation by Metro,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-metro,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1504-A421 METRO PTE LTD [Reg. No. 195700030E] ... Respondent Decision Citation: [2016] SGPDPC 7 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. On 21 April 2015, the Complainant, [Redacted] (Replaced with Ms C), complained to the Personal Data Protection Commission (the “Commission”) that she had been receiving calls from unknown numbers, and that when she conducted a search on Google, she discovered that her personal data and those of her family members were posted online on http://siph0n.net (“Siph0n website”). The Complainant had attributed the posting on the Siphon website to a data “leak” on the Respondent’s part. A. MATERIAL FACTS AND DOCUMENTS 2. On account of the complaint made, the Commission undertook an investigation, and sought the Respondent’s response on the matter. The material facts of the case are as follows. 3. The Respondent had acknowledged that the personal data that was posted on the Siph0n website came from the database stored on its website, such data comprising personal data of individuals.1 4. The Respondent’s corporate website was developed and supported by Grey Digital Southeast Asia (also known as Yolk Pte Ltd) (“Grey Digital”). The website was hosted by Limebox Hosting Solutions. 5. The Respondent’s corporate website (http://www.metro.com.sg) was hacked into on 9 and 10 February 2014. Investigations were subsequently carried out by the Respondent’s IT (information technology) support partners, namely Grey Digital and Vodien Internet Solutions Pte Ltd (“Vodien”), into the hacking incidents. However, the investigations were unable to determine the cause of the February 2014 hacking incidents or the person(s) that had carried out the hacking(s). The Respondent produced to the Commission a report from Grey Digital in respect of the two hacking incidents (“Grey Digital’s report”). The Commission understands that the Respondent had taken steps to improve on its web security following the hacking incidents in February 2014. CONFIDENTIAL Page 1 of 4 6. In March 2015, it was discovered that the names, personal email addresses, NRIC numbers, personal mobile phone numbers, dates of birth and Facebook user IDs of the Respondent’s customers were disclosed on the Siph0n website. This included the personal data of the Complainant and her family, which forms the subject of the complaint in this matter. The Respondent informed the Commission that the personal data that was posted on the Siph0n website was of 445 of its customers or users of the Respondent’s website. 7. Following the March 2015 postings on the Siph0n website, the Respondent instructed Grey Digital to remove any user information from the server of the hacked corporate website. 8. The Respondent also engaged KPMG Singapore to carry out an assessment and audit of the security of its internal as well as external i.e. internet-facing systems. A copy of the report dated 19 May 2015 was produced to the Commission on 10 July 2015 (“KPMG report”). 9. During its investigations, the Commission was informed by the Respondent that it had resolved several of the IT security issues raised in the KPMG report and that it had intended to address / taken steps to address the remaining issues and to further improve on its website and server security. B. COMMISSION FINDINGS AND BASIS FOR DETERMINATION Relevant issue in this case 10. Arising from the posting of personal data on the Siph0n website found in March 2015 and the IT security issues raised in the KPMG Report, the main issue in this case is whether the Respondent had in place reasonable security arrangements to protect the personal data in its possession or control, as required under Section 24 of the PDPA, when it came into effect on 2 July 2014. 11. Section 24 of the PDPA states that an organisation is obliged to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Section 24 of the PDPA came into effect on 2 July 2014. Assessment of whether Respondent had complied with Section 24 of the PDPA 12. The Commission notes that the Respondent has attributed the postings that were discovered in March 2015 to the two hacking incidents in February 2014. The Respondent thus took the view that there was no further breach for the disclosures on the Siph0n website made in March 2015 following the two incidents. The Commission, however, notes that the Respondent was under an obligation to ensure that reasonable security arrangements were put in place to protect the personal data under Section 24 of the PDPA, when it came into force on 2 July 2014. CONFIDENTIAL Page 2 of 4 13. Despite the Respondent and/or Grey Digital apparently taking steps to improve the security of the Respondent’s website and system following the two hacking incidents in February 2014, it was noted that the Respondent’s system still contained numerous security issues and vulnerabilities when the security scan was conducted from March 2015 to May 2015. This is evidenced by the KPMG report dated 19 May 2015 that was produced to the Commission by the Respondent. 14. In the KPMG report, KPMG had found 30 issues with the system, comprising of 6 “Significant Issues”, 11 “Reportable Issues” and 13 “Observations”. Amongst the issues raised, Commission notes that there were 3 significant issues and 1 reportable issue with the external web application security, and 1 reportable issue in relation to the external network security. 15. In this regard, there was at least one signfiicant issue in the KPMG report which is indicative of a failure of reasonable security arrangements even as of 19 May 2015. This is the SQL injection vulnerability. The Commission understands that the SQL injection vulnerability would have been found in the programming code of the Respondent’s external web applications, and may have been present in these web applications from the outset. In the Commission’s view, this is a common and well-documented form of vulnerability that ought to have been reasonably anticipated, identified and rectified by the Respondent at an early stage. 16. The Commission also notes that even as of 19 May 2015, the Respondent’s web servers were accessible to the internet; and hosted the Respondent’s website, which is the interface from which the Respondent had collected and stored the personal data from its users or customers. Accordingly, any vulnerability in the web servers or the web applications would pose a real risk or threat to the security of the personal data that was collected and/or held by the organisation. It was therefore imperative that the Respondent take the necessary measures to ensure that the servers and web applications themselves would be secure and free from any known significant security risks or vulnerabilities. The fact that there were a number of issues with the security of the Respondent’s IT system, particularly, the SQL injection vulnerability, indicated to the Commission that the web security was lacking. The Commission notes that the personal data from the previously affected database (ie the database which was hacked) was only transferred from the internetfacing webservers after the postings to the Siph0n website in March 2015. 17. Based on the above, the Commission finds that the Respondent had failed to make reasonable security arrangements to protect the personal data held in its web servers, and it is therefore in breach of Section 24 of the PDPA. C. ACTIONS TAKEN BY THE COMMISSION 18. Given the Commission’s findings that the Respondent is in breach of its obligations under Section 24 of the PDPA, the Commission is empowered under Section 29 of the PDPA to give the Respondent such directions as it CONFIDENTIAL Page 3 of 4 deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 19. In considering whether a direction should be made or given to the Respondent in this case, the Commission notes that: a. the Respondent had taken action to strengthen the security of its website, including engaging KPMG to undertake an internal IT security audit and assessment shortly after it had learnt of the posting of its customer’s or user’s personal data on the Siph0n website. However, the Respondent’s actions (after the hacking incidents in February 2014) did not enable it to detect and address at least one significant security lapse until several months later (ie after May 2015). b. the data leak that gave rise to the complaint took place before July 2014, and there is no evidence that there has been a data breach to date, notwithstanding the Respondent’s failure to make reasonable security arrangements. 20. In view of the factors noted above, the Commission has decided not to issue any direction to the Respondent to take remedial action or to pay a financial penalty. Instead, it has decided to issue a Warning against the Respondent for the breach of its obligations under Section 24 of the PDPA. 21. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION 1 Personal data” under Section 2 of the PDPA means data, whether true or not, about an individual who can be identifed from that data; or from that data and other information to which the organisation has or is likely to have acess. CONFIDENTIAL Page 4 of 4 ",Warning,5648d5fbfdd896cfce595bd0167287ff83fa5a2e,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,240,240,1,952,A warning was issued to Singapore Computer Society for failing to put in place reasonable security measures to prevent the accidental disclosure of the personal data of 214 registrants of an event via email.,"[""Protection"", ""Warning"", ""General (eg. Chamber of Commerce)"", ""SCS"", ""COMPUTER"", ""SOCIETY""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---singapore-computer-society-(210416).pdf,Protection,Breach of Protection Obligation by Singapore Computer Society,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-singapore-computer-society,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1504-A390 SINGAPORE COMPUTER SOCIETY (Reg. No. S67SS0039C) ... Respondent Decision Citation: [2016] SGPDPC 9 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. On 17 March 2015, the Respondent notified the Commission that it inadvertently disclosed certain personal data of individuals attending an event organised by the Respondent to other individuals and had received information about the disclosure from some of the individuals concerned. After being notified of the incident by the Respondent, the Commission undertook an investigation to determine whether there had been a breach of the Personal Data Protection Act 2012 (the “PDPA”). The material facts of the case are as follows. B. MATERIAL FACTS AND DOCUMENTS 2. In April 2015, the Respondent jointly organised and conducted an event with the Infocomm Development of Singapore (“IDA”) named “IDEAS on Security Analytics”. Prior to the event, on 16 March 2015, an employee of the Respondent, [Redacted] (Replaced with Ms L), sent out an email to all individuals who had registered to attend the event (“registrants”), which had attached a copy of the registration list for the event. The registration list contained personal data of about 214 registrants (individuals). 11 of the registrants subsequently raised concerns about the unauthorised disclosure of their personal data to the Respondent. The personal data which had been disclosed included information such as the registrants’ full names, NRIC numbers, contact numbers, email addresses, organisation and designation information. The Respondent confirmed that it was not acting on behalf of IDA in relation to the collection, use, disclosure or processing of the registrants’ personal data. 3. The Respondent acknowledged to the Commission that the registration list was not meant to be disclosed externally and had been inadvertently sent to registrants on 16 March 2015. The Respondent explained that Ms L’s supervisor (who was also an employee of the Respondent) had sent her the registration list in an email which included a draft event confirmation email which Ms L was required to send to registrants. Ms L used the “Forward” function in her email application to send the event confirmation email on 16 March 2015 but forgot to remove the attached registration list (which was automatically attached to her email to registrants by her use of the “Forward” function). CONFIDENTIAL Page 1 of 4 4. Upon being notified of the disclosure by some registrants, the Respondent took the immediate step of initiating an email recall at 3 p.m. on 16 March 2015, approximately 40 minutes after the email with the registration list was sent. 5. The Respondent’s Data Protection Officer subsequently sent an official email apology to the 11 registrants who had raised concerns to the Respondent over the incident. All 11 registrants accepted the apology and did not pursue the matter further. Neither the Respondent nor the Commission received other complaints relating to this incident. C. COMMISSION FINDINGS AND BASIS FOR DETERMINATION Relevant issue(s) in this case 6. This case principally concerns an unauthorised disclosure of personal data by an employee of the Respondent. Under section 24 of the PDPA, an organisation is required to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised disclosure, disposal, access, collection, use, or similar risks (amongst others). 7. A secondary issue in this case is that the Respondent did not have the consent of the registrants to disclose their personal data to other registrants (as required under section 13 of the PDPA). However, as the Respondent never intended to make such a disclosure, and hence would not have sought consent from the registrants, the Commission notes that this case is more properly considered from the perspective of the Respondent’s obligations under section 24 of the PDPA. Nevertheless, the Commission is not precluding that other cases may require an examination of both sections 13 and 24. Commission’s findings on the relevant issue(s) 8. It is not disputed by the Respondent that its employee, Ms L, had made an unauthorised disclosure of registrants’ personal data to other registrants via her email of 16 March 2015. The Commission notes that this unauthorised disclosure arose from a number of factors which reflect poor data handling practices by the Respondent, including the following: (a) Ms L’s supervisor had sent her the registration list containing registrants’ personal data in the same email which contained a draft event confirmation email which Ms L was required to send to registrants. This gave rise to a risk that Ms L may either not realise the registration list was attached or may forget to delete the registration list when she used the “Forward” function in the email application to send the event confirmation email; and (b) The registration list sent to Ms L was not protected by a password (or in any other manner which would prevent unintended recipients from opening it and accessing the data contained therein). CONFIDENTIAL Page 2 of 4 9. Under section 53(1) of the PDPA, any act done, or conduct engaged in, by an employee shall be treated for the purposes of the PDPA as acts done, or conduct engaged in, by his employer as well as him. The Respondent is therefore liable for the acts and conduct of its employees in relation to the unauthorised disclosure of registrants’ personal data on 16 March 2015. 10. In relation to the personal data which had been disclosed by the Respondent on 16 March 2015, the Commission notes that a significant amount may be business contract information, which is defined in section 2 of the PDPA as “an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes”. For personal data which is business contract information, section 4(5) of the PDPA provides that Parts III to VI of the PDPA, which includes section 24, does not apply. Nevertheless, as at least some of the personal data disclosed, for example, the NRIC numbers of registrants, was not business contact information, the Respondent was required to protect such personal data in accordance with section 24. 11. Overall, the Commission considers that the Respondent’s data handling practices in relation to the sending of the event confirmation email to registrants did not include sufficient security arrangements to the standard required under section 24 of the PDPA. The Commission therefore finds that the Respondent is in breach of section 24 of the PDPA. A. ACTIONS TAKEN BY THE COMMISSION 12. The Commission is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure the Respondent’s compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 13. In considering whether a direction should be given to the Respondent in this case, the Commission notes the following: (a) A significant part of the personal data disclosed was business contact information; (b) The Respondent took prompt action to recall the emails of 16 March 2015 which had the attached registration list, even though this process did not result in a complete recall of all the emails; and (c) SCS informed the PDPC of the data breach voluntarily and was cooperative during the investigation. 14. In view of the factors noted above, the Commission has decided not to issue any direction to the Respondent under section 29 of the PDPA. Instead, the CONFIDENTIAL Page 3 of 4 Commission has decided to issue a Warning to the Respondent for the breach of its obligations under section 24 of the PDPA. 15. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION CONFIDENTIAL Page 4 of 4 ",Warning,d6c9678309af2f8f67777e02000fcdddf237bd78,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"