_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,140,140,1,952,"Directions, including a financial penalty of $10,000, were imposed on O2 Advertising for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect individuals’ personal data collected from an advertising campaign and did not cease retention of such data when it was no longer required. The organisation was also directed to appoint a data protection officer and put in place data protection policies and practices.","[""Protection"", ""Retention Limitation"", ""Accountability"", ""Financial Penalty"", ""Information and Communications""]",2019-09-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---O2-Advertising-Pte-Ltd---280819.pdf,"Protection, Retention Limitation, Accountability","Breach of the Protection, Retention and Accountability Obligations by O2 Advertising",https://www.pdpc.gov.sg/all-commissions-decisions/2019/09/breach-of-the-protection--retention-and-accountability-obligations-by-o2-advertising,2019-09-06,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 32 Case No DP-1807-B2376 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And O2 Advertising Pte. Ltd. … Organisation DECISION O2 Advertising Pte. Ltd. [2019] SGPDPC 32 Tan Kiat How, Commissioner — Case No DP-1807-B2376 28 August 2019 Background 1 An individual found certain of his personal data accessible over the Internet without his consent. In particular, the individual found that when he conducted a search on Google using his name and National Registration Identification Card (“NRIC”) number, the search results included a URL link (the “URL Link”) to a database maintained by O2 Advertising Pte. Ltd. (the “Organisation”). The database contained the personal data of numerous individuals including the individual’s (the “Affected Individuals”). On 10 July 2018, the individual lodged a complaint with the Personal Data Protection Commission (“Commission”) over the incident. Material Facts 2 The Organisation provides advertising and marketing services in Singapore. In 2015, the Organisation collected the Affected Individuals’ personal data during an advertising campaign conducted on behalf of one of its clients. The Organisation stored the collected personal data in two databases. 1 O2 Advertising Pte. Ltd. 3 [2019] SGPDPC 32 The incident resulted in the following types of personal data of the Affected Individuals being either exposed to unauthorised access or at risk of unauthorised access (the “Disclosed Data”) depending on which database the Disclosed Data was stored in: 4 (a) Name; (b) NRIC number; (c) email address; (d) residential address; (e) gender; (f) date of birth; (g) mobile number; (h) age; and (i) skin type. The Disclosed Data of 403 Affected Individuals was stored in one database (“Database A”) and exposed to unauthorised access through the URL Link found by the complainant. The Disclosed Data of 1,165 Affected Individuals was stored in another database (“Database B”) which was at risk of unauthorised access. This was because after accessing Database A using the URL Link, a party with knowledge of how to navigate the root directory could possibly gain access to Database B. In addition, there was a risk of unauthorised access to 2 php files found in a directory containing user names and passwords to the Organisation’s email system and another database (“Exposed 2 O2 Advertising Pte. Ltd. [2019] SGPDPC 32 Credentials”). Using the same URL Link, a party with knowledge of how to navigate the root directory could also possibly gain access to the Exposed Credentials. The Commissioner’s Findings and Basis for Determination 5 The issues for determination are: (a) whether the Organisation breached the Protection Obligation under section 24 of the PDPA; (b) whether the Organisation complied with its Retention Limitation Obligation under section 25 of the PDPA; and (c) whether the Organisation complied with its Accountability Obligation under sections 11(3) and 12 of the PDPA. Whether the Organisation breached section 24 of the PDPA 6 Databases A and B which contained the Disclosed Data were maintained by the Organisation. Hence, the Organisation had possession and control of the Disclosed Data at all material times and therefore had an obligation to protect them. Database A was in the Public_HTML directory of a server, and was not secured with any form of access controls. This enabled internet search engines like Google to index the URL Link to Database A, resulting in it showing up in search results. As stated above, this also exposed Database B to risk of unauthorised access. The Organisation asserted that the server hosting Database A and Database B was password protected. However, this was not a security arrangement to restrict access to the databases which had been stored in the Public_HTML directory. 3 O2 Advertising Pte. Ltd. 7 [2019] SGPDPC 32 As observed in Re Tutor City [2019] SGPDPC 5 (at [21] to [23]), there are a number of technical security measures that can be implemented to prevent documents from being indexed by web crawlers: (a) First, the Organisation could have placed these documents in a folder of a non-public folder/directory. (b) Second, the Organisation could have placed these documents in a folder of a non-public folder or directory, with access to these documents being through web applications on the server. (c) Third, the Organisation could have placed these documents in a sub-folder within the Public Directory but control access to files by creating a .htaccess file within that sub-folder. This .htaccess file may specify the access restrictions (e.g. implement a password requirement or an IP address restriction). 8 Since its website went live over 5 years ago, the Organisation had not conducted any vulnerability scanning. The flaws in the security of its website that had been discovered during investigations would have been revealed in a vulnerability scan. Had one been conducted, the Organisation would have been in a position to put in place reasonable security arrangements mentioned in the preceding paragraph. 9 For the reasons above, the Commissioner finds the Organisation in breach of section 24 of the PDPA. 4 O2 Advertising Pte. Ltd. [2019] SGPDPC 32 Whether the Organisation breached section 25 of the PDPA 10 Under section 25 of the PDPA, an organisation is obliged to cease retaining personal data once the purpose for which the personal data was collected has been served, unless further retention can be justified for legal or business purposes. The Organisation admitted that it had overlooked deleting the Disclosed Data and that there were no reasonable grounds to continue retaining them after the engagement with its client ceased in 2016. The Disclosed Data was only deleted by the Organisation after it was informed by the Commission of the complaint. The Commissioner therefore finds the Organisation in breach of section 25 of the PDPA. Whether the Organisation breached sections 11(3) and 12 of the PDPA 11 Section 11(3) of the PDPA requires the Organisation to a data protection officer; Section 12 of the PDPA imposes an obligation on organisations to develop and implement data protection policies and practices. The Organisation admitted that at the material time, it did neither of these. In the circumstances, the Commissioner finds that the Organisation failed to meet its obligations under sections 11(3) and 12 of the PDPA. Representations by the Organisation 12 In the course of settling this decision, the Organisation made representations on the amount of financial penalty which the Commissioner intended to impose. In the beginning of 2016, the Organisation discovered it was a victim of a fraud involving the misappropriation of company funds amounting to approximately $3.2 million, resulting in massive retrenchment and significant cash flow issues for the Organisation. Consequently, the 5 O2 Advertising Pte. Ltd. [2019] SGPDPC 32 Organisation’s financial performance for the past few years has been weak, and is currently in dire financial straits. The director is 72 years old and is the Organisation’s sole employee since 1 March 2018. He intends to continue the Organisation’s business on a significantly reduced scale. 13 Having carefully considered the representations, the Commissioner has decided to reduce the financial penalty to $10,000. The quantum of financial penalty has been determined after due consideration of the Organisation’s finances and to avoid imposing a crushing burden on the Organisation given its present financial circumstances and future prospects. Although a lower financial penalty has been imposed in this case, the quantum of financial penalty should be treated as exceptional and should not be taken as setting any precedent for future cases. The Commissioner’s Directions 14 Having found the Organisation in breach of sections 11(3), 12, 24 and 25 of the PDPA, the Commissioner hereby directs the Organisation: (a) to pay a financial penalty of $10,000 within 30 days from the date of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court1 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full; 1 Cap 322, R5, 2014 Rev Ed. 6 O2 Advertising Pte. Ltd. (b) [2019] SGPDPC 32 to appoint an individual responsible for ensuring the Organisation’s compliance with the PDPA within 30 days from the date of the Commissioner’s direction; (c) to develop and implement policies and practices that are necessary for the Organisation to meet its obligations under the PDPA within 60 days from the date of the Commissioner’s direction; and (d) to inform the Commission of the completion of each of the above directions in (b) and (c) within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 7 ",Financial Penalty,cedca1dbf798a0941276a2ed505c2ae8e14eda86,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,141,141,1,952,"A financial penalty of $5,000 was imposed on Executive Link Services for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Accountability"", ""Financial Penalty"", ""Employment""]",2019-09-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Executive-Link-20082019.pdf,Accountability,Breach of the Accountability Obligation by Executive Link Services,https://www.pdpc.gov.sg/all-commissions-decisions/2019/09/breach-of-the-accountability-obligation-by-executive-link-services,2019-09-06,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 30 Case No DP-1806-B2237 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Executive Link Services Pte. Ltd. …Organisation(s) DECISION Executive Link Services Pte. Ltd. [2019] SGPDPC 30 Mr Yeong Zee Kin, Deputy Commissioner – Case No DP-1806-B2237 23 August 2019 Background 1. On 11 June 2018, Executive Link Services Pte. Ltd. (the “Organisation”) reported a data breach to the Personal Data Protection Commission (the “Commission”) concerning the unintended disclosure of personal data of individuals that were stored on the Organisation’s server (“Incident”). The Commission investigated the Incident and determined that the Organisation had breached its obligations under the Personal Data Protection Act 2012 (“PDPA”). Material facts 2. The Organisation is an employment agency. Sometime before 8 June 2018, one of the Organisation’s clients engaged a cybersecurity company to scan the Internet for information relating to the client. During this scan, the cybersecurity company was able to gain access and retrieve copies of draft contracts of job candidates from the Organisation’s server. The Organisation was alerted on 8 June 2018. In total, resumes of 367 individuals (the “Affected Individuals”) and around 150 draft contracts relating to some of those individuals, together with the personal data therein (the “Compromised Personal Data”), were exposed to unauthorised disclosure in this manner. 3. The Compromised Personal Data included the following: Re Executive Link Services Pte Ltd (a) [2019] SGPDPC 30 the individual’s name, address, contact number, email address(es), education level, salary expectation and employment history (in relation to the resumes); and (b) the individual’s name, address and salary information (in relation to the draft contracts). Events leading to the Incident 4. The Organisation had implemented remote access for staff to access internal files stored on its data storage server. This required the use of a Virtual Private Network (“VPN”) service. The server was supplied by Blumm Technology Pte. Ltd. (“Blumm”) and installed and set up by the Organisation’s information technology (“IT”) vendor, SShang Systems (“SShang”). SShang provided IT support services to the Organisation, eg upgrading and configuration of hardware, and general IT troubleshooting. When staff had difficulties with VPN access, the Organisation approached SShang for assistance. SShang was, in turn, advised by Blumm to adopt a workaround, by opening and enabling file access through the server’s file transport protocol (“FTP”) port (the “VPN Workaround”). Blumm also advised SShang to password-protect the folders within the server after the FTP port was opened. 5. When SShang implemented the VPN Workaround, it did not advise the Organisation about password-protecting the folders on the server because it assessed that there was little or no risk of unauthorised access to the folders since remote access was limited to staff. Although the Organisation had only intended to test the VPN Workaround for a few days, it was during this period that its client discovered the Compromised Personal Data on its server. 3 Re Executive Link Services Pte Ltd 6. [2019] SGPDPC 30 In the course of the Commission’s investigation, the Organisation also admitted that it had not appointed a DPO and that it did not have any policies, internal guidelines or procedures on the collection, use and disclosure of personal data and other matters required under the PDPA. Findings and Basis for Determination Issues for determination 7. Based on the facts of the case, the issues to be determined are as follows: (a) Whether the Organisation had complied with its obligation to protect personal data under section 24 of the PDPA; and (b) Whether the Organisation had complied with the obligations to appoint a data protection officer (“DPO”) and develop and implement data protection policies and practices under sections 11(3) and 12 respectively of the PDPA; Whether the Organisation complied with its obligation under section 24 of the PDPA 8. At all material times, the Compromised Personal Data was in the Organisation’s sole possession and control. SShang was engaged to provide IT support services but was not engaged to process personal data. Blumm supplied the server and had assisted to open the server’s FTP port to enable the VPN Workaround, but it was not engaged to process personal data. Hence, both SShang and Blumm were not data intermediaries. Hence, the responsibility to protect the Compromised Personal Data fell squarely and solely on the Organisation. 4 Re Executive Link Services Pte Ltd 9. [2019] SGPDPC 30 The question is whether the Organisation had failed to take reasonable steps to protect the Compromised Personal Data. It should be noted from the outset that this was not a case involving a server hosting a website that was meant to be accessible on the World Wide Web. It was an internal server that was meant to be accessed by staff remotely through the Internet. There are subtle but significant differences between the two. A website on the World Wide Web is by its nature intended to be more easily linked from other websites, and to be discovered by search engines and directories. Remote access to a server via the Internet requires the member of staff to use VPN software or know the precise Internet Protocol (“IP”) address. It is not usually crawled by online search engines. But that is not to say that it cannot be discovered. It can be, by using the right tool to scan a known set of IP address range, as was done in this case by the cybersecurity company. The footprint is smaller and the risk is lower, but that does not in any way mean that the risk does not exist. 10. The Organisation did not have requisite IT knowledge and depended on its outsourced IT support services provider. Its duties as owner of the server and controller of the Compromised Personal Data include making its requirements known to SShang and asking the right questions from the perspective of a business owner. It can rely on SShang’s technical know-how. In this case, the Organisation was aware of the risks and had implemented VPN access for its staff. When there were difficulties with the VPN access and SShang was called upon to troubleshoot, it was a natural and reasonable expectation that any workaround recommended would not materially compromise its requirement for security. It is not unreasonable for the Organisation to have expected that any such material deviation– particularly when the security level is lowered – would be drawn to its attention. 11. Of course, the Organisation could have asked about the security of VPN Workaround. But is it reasonable to expect this level of pedantry? I am mindful that when troubleshooting IT issues, there is a degree of urgency and need for speed to implement workarounds, identify root causes and implement permanent solutions. 5 Re Executive Link Services Pte Ltd [2019] SGPDPC 30 In these circumstances, the operating assumption should be that existing business rules continue to be relevant. However, I am of the view that since the VPN Workaround touched on secured remote access, the Organisation could have sought clarification of the impact of the VPN Workaround on its requirements for security. 12. In this case, SShang had been advised by Blumm to enable password protection. SShang had assessed that there was no need to do so as remote access was limited to staff and there was little or no risk of unauthorised access to the folders. We do not know what SShang would have informed the Organisation had the Organisation sought clarification. However, even if SShang shared its assessment and maintained its advice that it was not necessary to enable password protection, the Organisation would not have known better and would have relied on the advice. In light of these circumstances, I am giving the Organisation the benefit of doubt and will not make a finding of breach of its protection obligation under section 24 of the PDPA. Whether the Organisation complied with its obligations under sections 11(3) and 12 of the PDPA 13. The remaining two issues are straightforward. Section 11(3) of the PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. This individual is typically referred to as the DPO. Further, section 12 of the PDPA requires organisation to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA, and to communicate information about such policies and practices to its employees (among other obligations). The importance of these requirements have been emphasized multiple times in previous decisions.1 1 See Re Aviva Ltd [2017] SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37]; Re Singapore Taekwondo Federation [2018] SGPDPC 17 at [39] to [42]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [4] to [5]. 6 Re Executive Link Services Pte Ltd [2019] SGPDPC 30 In view of the Organisation’s admissions that it had not appointed a DPO 14. and had not developed and implemented any policies, internal guidelines or procedures on the collection, use and disclosure of personal data, I find the Organisation in breach of sections 11(3) and 12 of the PDPA. Remedial Actions by the Organisation 15. After being informed of the Incident by its client, the Organisation closed the FTP port on the same day. The Organisation also took the following additional steps: a. Shut down the server permanently and replaced it with a new server; b. Installed a firewall for the new server and implemented access to the new server via VPN, which requires the use of passwords (thereby limiting access to the data stored on the server); c. Implemented password policies for its employees for the use of the VPN; d. Engaged a cyber-security firm to conduct a network vulnerability assessment on its new server, which found no vulnerabilities; e. Appointed a data protection officer; f. Drafted and implemented policies on the handling of personal data; and g. Provided data protection training for its employees. The Deputy Commissioner’s Directions 16. In assessing the breach, I took into account the following mitigating factors: 7 Re Executive Link Services Pte Ltd a. [2019] SGPDPC 30 The Organisation was cooperative with the Commission during its investigation and was prompt and forthcoming in its responses to queries posed by the Commission; b. The Organisation took swift and extensive remedial action following the Incident; c. The duration that the Compromised Personal Data was at risk was only for a limited time period. The Organisation was alerted to the Incident only a few days after the FTP port was opened to enable the VPN Workaround, and the Organisation took swift action thereafter to remove such access; and d. The VPN Workaround was only intended to be a temporary measure, and the Organisation had intended to revert back to the use of the VPN. Thus, the potential for unauthorised disclosure of the Compromised Personal data would have been limited in any event. 17. Having considered the facts of this case and the factors outlined above, I hereby direct the Organisation to pay a financial penalty of $5,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court2 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 2 Cap 322, R5, 2014 Rev Ed. 8 ",Financial Penalty,738ff8a1f74b23bb71dfc2235015dbfcd02e2751,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,142,142,1,952,A warning was issued to Friends Provident International for failing to protect the personal data of its policyholders from unauthorised disclosure via its online portal.,"[""Protection"", ""Warning"", ""Finance and Insurance""]",2019-09-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Ground-of-Decision---Friends-Provident---300719.pdf,Protection,Breach of the Protection Obligation by Friends Provident International,https://www.pdpc.gov.sg/all-commissions-decisions/2019/09/breach-of-the-protection-obligation-by-friends-provident-international,2019-09-06,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 29 Case No DP-1805-B2112 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Friends Provident International Limited … Organisation DECISION Friends Provident International Limited Yeong Zee Kin, Deputy Commissioner – Case No. DP-1805-B2112 30 July 2019 Facts of this Case 1 Friends Provident International Limited is a company established in the Isle of Man which provides life assurance services in Singapore through a registered branch office (the “Organisation”). In the course of providing these services, it operates and maintains an online portal (the “Portal”) through which its policyholders can request for changes to their particulars, for example, contact details. On 10 May 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) of a data breach incident involving the disclosure of certain personal data of policyholders obtained from the Portal. The circumstances leading to the incident were as follows. 2 The Organisation’s policyholders and certain other authorised personnel could access the Portal via a “Secured Mailbox” webpage on the Organisation’s website (the “Secured Mailbox Webpage”). Policyholders could, as noted above, submit certain requests via the Portal and the Organisation’s authorised personnel accessed the Portal in order to process these requests. For this purpose, the Organisation’s authorised personnel could generate reports containing the data of policyholders who had made a request (“Reports”). These Reports were stored in the Portal and could be obtained thereafter by the Organisation’s authorised personnel. 1 3 The ability to generate and obtain Reports from the Portal was intended to be restricted to the Organisation’s authorised personnel. To achieve this, when a user logged in to the Secured Mailbox Webpage, the system would determine whether the user was one of the Organisation’s authorised personnel or a policyholder. If the user was one of the authorised personnel, a ‘Report’ tab would be displayed in the Secured Mailbox Webpage which enabled the authorised personnel to generate and obtain Reports. The ‘Report’ tab was hidden from the view of policyholders when they accessed the Secured Mailbox Webpage. Apart from hiding the ‘Report’ tab, no additional or separate authorisation was necessary in order to generate and obtain Reports from the Portal and there was no subsequent verification (after the user logged in) as to whether the user was, in fact, authorised to generate and obtain the Reports via the ‘Report’ tab. 4 As a result of a faulty JavaScript within the Secured Mailbox Webpage, the ‘Report’ tab was visible to policyholders when they re-sized their desktop internet browser to a smaller size or if they accessed the Secured Mailbox Webpage via a mobile device. As no verification or separate authorisation was required to access the ‘Report’ tab and generate and obtain Reports, such policyholders were able to generate and obtain Reports from the Portal once the ‘Report’ tab was visible (collectively referred to as the “Vulnerability”). 5 The exploitability of the Vulnerability, which had likely existed since 30 September 2017 when the Secured Mailbox Webpage was introduced, was fortuitously resolved on 6 February 2018 when the Secured Mailbox Webpage was enhanced and backend verification was included. Unfortunately, on 12 December 2017, one of the Organisation’s policyholders discovered that he could generate and obtain Reports from the Portal that contained the names, policy numbers and regions of residence of other policyholders. He subsequently reported this to the Monetary Authority of Singapore which, in turn, notified the Organisation of the incident 2 (the “Reported Breach”). The Organisation had been unaware of the Vulnerability until they were notified of the Reported Breach. 6 The Organisation subsequently determined that before the Vulnerability was fixed, 42 Reports had been produced and downloaded by 21 policyholders or their advisors. The total number of individuals affected by this was estimated to be 240, 11 of whom had their policy numbers disclosed. After the Reported Breach, the Organisation undertook the following as part of its remedial actions: (a) reviewed the Portal to ensure that the Reports were no longer accessible by unauthorised personnel; (b) conducted an initial risk assessment and commenced an immediate investigation into the Reported Breach; (c) imposed a requirement that regression testing must be conducted for mobile devices and different screen resolutions; (d) ensured that backend access validation was in place on top of front-end validation; (e) ensured that all employees received training on data protection upon commencement of employment, which would be refreshed annually; and (f) contacted the policyholder who had generated and downloaded Reports on 12 December 2017 to ensure that he no longer held the Reports that he downloaded. 3 Findings and Basis for Determination 7 Section 24 of the Personal Data Protection Act 2012 (the “PDPA”) requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, disclosure and similar risks. I find that the Organisation had not done so, and is in breach of section 24, for two main reasons: first, the manner in which the Organisation restricted access to the Reports was insufficient to prevent unauthorised access to the Reports and the personal data they contained and, secondly, the testing of the Secured Mailbox Webpage was inadequate. 8 On the first point, what is most striking in this case is the lack of an authorisation mechanism for access to the ability to generate and obtain Reports. Once a user gained access to the Secured Mailbox Webpage and could view the ‘Report’ tab (in the circumstances noted above), no further authorisation or verification was required to generate and obtain Reports from the Portal via the ‘Report’ tab. The only means the Organisation employed to limit access to the Reports was to hide the ‘Report’ tab from the view of unauthorised persons. This was insufficient as there could be various ways in which the hidden tab could be revealed, even without the faulty JavaScript, such as by manipulating the scripts or widgets running on the Secured Mailbox Webpage. 9 On the second point, given that the Secured Mailbox Webpage was intended for use across a variety of devices and screens, testing should have been conducted across multiple browsers and devices. While organisations are not expected to test across all possible browsers and devices, testing should have been done on representative devices (in the present case, with different screen or browser sizes) based on the design and intended functionality of the Secured Mailbox Webpage. The Organisation’s failure to do so meant that its testing was ultimately inadequate to address the risk of unauthorised access to the personal data in the Reports. In 4 fact, simply accessing the Secured Mailbox Webpage on a mobile device as part of its tests would have revealed the Vulnerability to the Organisation. Additionally, organisations and developers should note that the testing of other browser conditions such as script blocking, while not mandatory, is highly recommended. In the Organisation’s case, script blocking would also have caused the ‘Report’ tab to become visible. Outcome 10 Taking the totality of the circumstances into account, I have decided to issue a warning to the Organisation for its contravention of section 24 of the PDPA. In reaching this conclusion, I note that: (a) the potential for misuse of the personal data disclosed was relatively low because the data was not of a nature where identity theft could be committed; and (b) the Organisation had promptly notified the Commission and implemented remedial actions upon learning of the Reported Breach. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 5 ",Warning,6578b3c9e72080e89fbcce5011a711485b15a443,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"