_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,113,113,1,952,A warning was issued to L’Oreal Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of individuals on its website. The personal data of 7 individuals were compromised from a data breach incident involving its website.,"[""Protection"", ""Warning""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Loreal-Singapore-Pte-Ltd---261219.pdf,Protection,Breach of the Protection Obligation by L'Oreal Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-l-oreal-singapore,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1812-B3091 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And L’Oreal Singapore Pte. Ltd. SUMMARY OF THE DECISION 1. L’Oreal Singapore Pte Ltd (the “Organisation”) operated a website which had a login portal that enabled its customers to view their profile information, redeem vouchers and make enquiries about customer points (“Customer Login Page”). The customers’ profile information included their name, email address, postal address, mobile number and date of birth (the “Personal Data”). The development and maintenance of the website was carried out by a vendor engaged by the Organisation. 2. To improve the loading speed of the website, the Organisation instructed its vendor to make some changes to the website in November 2018. However, the Organisation failed to scope the User Acceptance Tests (“UATs”) to include the normal functioning of the website, in particular the login and caching functions of the Customer Login Page, after the code changes were introduced. As a result, when a customer (“Customer A”) logged into the Customer Login Page, his or her Personal Data would be cached. Customer A’s Personal Data would then be disclosed to customers who subsequently logged in to the Customer Login Page until the cache was refreshed. Similarly, the Personal Data of the second customer (“Customer B”), who logged in after the cache refresh, would be cached, leading to disclosure of Customer B’s Personal Data to the third customer who logs in next, and all subsequent customers until the next cache refresh. When the Organisation came to know of this, the Organisation disabled the Customer Login Page. The Organisation also engaged a consultant to assist in its investigations into the matter and to provide recommendations to prevent similar incidents in the future. 3. The Personal Data Protection Commission (“Commission”) found that Personal Data of 7 individuals had been exposed to the risk of unauthorised disclosure as a result of the Organisation’s failure to ensure appropriate testing of its website or make other security arrangements to protect the Personal Data. The Commission notes the Organisation’s representations that it had completed all necessary and appropriate UATs based upon the reasonably foreseeable impact of the requested changes to its website. However, as mentioned at [2] above, the scope of the UATs was inadequate because it did not simulate the normal operating environment of the website. In particular, the UATs only provided for a limited test case of a single user logging into the website, and failed to include the foreseeable scenario of multiple users logging in sequentially. 4. Having considered the representations and taking into account all the relevant circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. ",Warning,4102189a17de6b15ab601751db63326670e4ef82,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,114,114,1,952,"A financial penalty of $15,000 was imposed on Creative for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of users of its online support forum.","[""Protection"", ""Financial Penalty""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Creative-Technology-Ltd--020120.pdf,Protection,Breach of the Protection Obligation by Creative,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-creative,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 1 Case No DP-1811-B3058 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Creative Technology Ltd … Organisation DECISION 1 Creative Technology Ltd Tan Kiat How, Commissioner — Case No DP-1811-B3058 2 January 2020 Facts of this Case 1 This case concerns an online support forum (the “Forum”) operated and hosted by Creative Technology Ltd (the “Organisation”). In November 2018, the Personal Data Protection Commission (the “Commission”) was informed that the Forum had been hacked sometime in mid-2018 resulting in the unauthorised disclosure of personal data of users of the Forum (the “Incident”). 2 The Organisation first set up the Forum some time in 2004 to help users share ideas and information relating to the Organisation’s products. In 2011, the Organisation adopted a thirdparty forum software known as “vBulletin” to operate and host the forum internally. Unknown to the Organisation, the vBulletin software had a SQL vulnerability which could allow hackers to extract information hosted on the platform using SQL injection techniques. The developers of the vBulletin software released patches to address this SQL vulnerability in 2016. However, the Organisation had not installed these patches at the time of the Incident. 3 On 25 May 2018, an unknown hacker used SQL injection techniques to obtain personal data of Forum users from the Forum’s database. In particular, the hacker exploited the vulnerability in the vBulletin software to launch SQL injection attacks by using the “Forumrunner” add-on1. 4 The Organisation first came to know of the Incident on 4 June 2018, when it was notified by a security researcher that he had received a set of user data extracted from the Forum. The Organisation subsequently found that 484,512 users’ account information had been accessed and extracted in the Incident.2 Of these, only 173,763 appeared to be legitimate email addresses with the remainder, in the Organisation’s view, being “disposable” or otherwise not 1 The Forumrunner add-on allows users to use forums hosted using vBulletin on their mobile devices. 2 The Commission has not verified the number of user accounts affected for reasons explained at [14]. 2 Creative Technology Ltd legitimate 3 email addresses. Further, of the accounts with legitimate email addresses, the Organisation found that there were 8,258 active users4 (“Active Users”) who had accessed or posted on the forum between 2014 and 2018 and, amongst these Active Users, approximately 2,600 had email addresses which contained either the names or partial names of individuals. 5 According to the Organisation, the following data of Forum users (the “Personal Data”) were accessed and extracted by the hacker: (a) username; (b) password, salted and hashed by the vBulletin software (each password was hashed using the MD5 algorithm, and the resulting password was hashed for a second time by MD5 and salted with random characters)5; 6 (c) email address; and (d) Internet Protocol address (IP address). In addition, optional personal data which the Forum user may choose to enter (the “Optional Data”), including age, date of birth, other contact details (e.g. ICQ number, AIM screen name, Skype name, and MSN and Yahoo! Messenger handles), location, occupation, could be accessed when the password was used to log in to a user’s account. These data were viewable by other Forum members, with the exception of date of birth, which the individual could choose to hide from, or disclose to, other Forum users. Remedial actions 7 Upon discovering the Incident, the Organisation undertook the following remedial measures: 3 Such as email addresses from the Mailinator Service and addresses which contained gibberish or profanities. 4 According to the Organisation, users whose (i) accounts were activated (by clicking on a verification link in an email sent to them during the Forum registration process); and (ii) had logged into the Forum with their user account, or had uploaded at least one post in the Forum. 5 See paragraph 11. 3 Creative Technology Ltd (a) it conducted a review of all its systems, servers, and software used by its IT and Internet Marketing teams and determined that the incident was an isolated occurrence, and the other systems had been subject to regular security reviews and security patches; (b) it notified the 8,258 Active Users of the Incident; and (c) it shut down the Forum temporarily on 4 June 2018 to prevent further incursions, and shut it down permanently shortly thereafter (by 20 June 2018). Findings and Basis for Determination Whether the Organisation complied with the Protection Obligation 8 Section 24 of the Personal Data Protection Act 2012 (the “PDPA”) requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). It is not in dispute that the Personal Data and the Optional Data were in the Organisation’s possession and under its control at the time of the Incident. 9 The Organisation had failed to put in place reasonable security arrangements to protect the Personal Data for the following reasons. 10 First, the Organisation had not patched or updated its version of vBulletin since 2 May 2015, three years prior to the Incident. This was a significant factor leading to the Incident. As stated in the Commission’s Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017, at [16]), regular security patching is important for organisations to keep their systems and databases current and minimise their vulnerabilities. 11 Secondly, the use of the MD5 algorithm is no longer sufficiently secure for password hashing, as compared with other available algorithms. Passwords hashed with MD5 are susceptible to some forms of attacks and, if they are compromised, this could lead to the disclosure of other personal data. Individuals may face additional risks if they had used the same email address and passwords for other online accounts. In this regard, the developers of vBulletin no longer used MD5 hashed password by default, opting for the more secure bcrypt, 4 Creative Technology Ltd since the March 2014 version of vBulletin. This reinforces the point that if the Organisation had implemented the updates, the users’ hashed passwords would be more secure. 12 In the circumstances, the Commissioner found the Organisation in breach of section 24 of the PDPA. The Commissioner’s Directions 13 In determining the directions to be imposed on the Organisation under section 29 of the PDPA, the Commissioner took into account the following mitigating factors: (a) the Organisation was cooperative in the investigations and had provided prompt and detailed responses to the Commission’s requests for information; (b) the Organisation implemented reasonable remedial and corrective actions to address the Incident, which includes notifying the affected Active Users; (c) even though the Organisation had deleted the database, it made the effort to go through its email logs to determine the number of affected user emails which contained either names or partial names. 14 In the course of settling this decision, the Organisation made representations highlighting the low sensitivity of the personal data that was disclosed and the fact that the disclosure was unlikely to have caused serious or substantial harm or injury. The type of personal data involved in the Incident (as set out at [5] above) has already been taken into consideration when deciding on the quantum of the financial penalty to be imposed and, as such, no further reduction in the quantum is warranted. 15 The Organisation’s deletion of the user database is an aggravating factor that affected the Commission’s investigations. The number of affected individuals estimated by the Organisation could not be verified given their deletion of the user database. The Organisation was notified about the Incident by a security researcher on 4 June, verified that user account information had been exfiltrated, and by 20 June it had shut down the forum and deleted the user database: see [8]. These decisions were made within a short period of 2 weeks but cast a shadow stretching far into the future. By the time the Organisation was formally notified that 5 Creative Technology Ltd the Commission was commencing investigations in November 2018, the user database had been expunged for 5 months. 16 In Re NTUC Income Insurance Co-operative Ltd [2018] SGPDPC 10, the Commission stated that all organisations have the duty to preserve evidence and that it does not look favourably on the destruction or deletion of potentially relevant documents and records. The decision sets out some of the factors that the Commission would take into account in determining whether or not an organisation would be sanctioned for such deletion or destruction. These factors include whether or not the deletion prejudiced a fair investigation and whether or not legal proceedings were anticipated or contemplated. In this case, investigations were prejudiced given that the number of affected individuals could not be verified. 17 The Organisation made representations stating that it had deleted the user database to comply with section 25 of the PDPA, which imposed an obligation on organisations to cease retention of personal data once the purpose for its collection is met, and retention is no longer necessary for legal or business purposes. The Organisation submitted that section 25 applied to a situation where there was an ongoing legal course of action or a risk of potential litigation, neither of which existed at the time. The Organisation’s interpretation of section 25 is unnecessarily narrow. As the Commission held in NTUC Income Insurance Co-operative Ltd, section 25 allows for the retention of personal data where it is required for legal purposes such as investigations by the Commission. 18 The question is whether, in June 2018 when the user database was deleted, the Organisation could have anticipated an investigation by the Commission. There are a number of facts that the Organisation should have considered before deciding to delete the user database. First, the source of information about the exfiltration was an external security researcher; second, the nature of notification was that the security researcher had received personal data extracted from the Forum from a third party source; third, the Organisation verified that personal data from 484,512 user accounts had been exfiltrated: see paragraph 4. Collectively, these facts point to a not insignificant data breach that affected a significant number of users, anyone of whom might initiate a complaint. 6 Creative Technology Ltd 19 The Organisation ought to have retained the user database offline for a period, but could have limited access to it. It is not necessary at this point to venture an opinion about how long the Organisation ought to have preserved the user database. The necessity of preservation and the period of preservation is determined on the facts of each case. What can be said is that the decision to delete the user database within 2 weeks of discovering the Incident was taken too hastily. 20 The Organisation made representations stating that it had not deleted the user database in bad faith. Whilst it has been said that the decision was taken too hastily, there is no evidence to suggest that the decision was taken in bad faith or in order to put evidence beyond the reach of investigations. These are not considerations that factored in the determination of the directions. 21 The Commissioner hereby directs the Organisation to pay a financial penalty of $15,000 within 30 days, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 22 The Commissioner decided not to impose any other direction as the Organisation has ceased to operate the Forum and no longer retains the database of Forum users. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 7 ",Financial Penalty,1d4e08be82b95f65085e2a8f991ad5845f795f48,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,115,115,1,952,"Directions, including a financial penalty of $20,000, were imposed on Society of Tourist Guides for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions"", ""Financial Penalty""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Society-of-Tourist-Guides-Singapore-261219.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Society of Tourist Guides,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-accountability-obligations-by-society-of-tourist-guides,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 48 Case No. DP-1903-B3445 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Society of Tourist Guides (Singapore) … Organisation DECISION Society of Tourist Guides (Singapore) [2019] SGPDPC 48 Tan Kiat How, Commissioner — Case No. DP-1903-B3445 26 December 2019 Introduction 1 On 3 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of individuals had apparently been exposed to unauthorised access and disclosure through links on the Society of Tourist Guides (Singapore)’s (the “Organisation”) website. Facts of the Case 2 The Organisation is a non-profit organisation that works with the Singapore Tourism Board (“STB”) to promote the professionalism of tourist guides as tourism ambassadors of Singapore. Tourist guides registered with STB may sign up as members of the Organisation (“Members”). In May 2018, the Organisation engaged a Vietnam-based IT company (the “Vendor”) to develop its website https://societyoftouristguides.org.sg (the “Website”). 3 One of the Organisation’s purposes for the Website was to collect personal data from its Members. Personal data was collected from Members through their respective user accounts on the Website and included their names, photographs, contact numbers, e-mail addresses and 2 a write-up of themselves (for example, with the type of services they provided) (“Profile Data”). Members could also upload images of their identification documents (e.g. NRIC, employment pass, driving and vocational licences) which contained various personal data (“ID Data”). 4 Members’ Profile Data were published on their respective public profile pages on the Website. This enabled members of the public to find and engage a Member with the necessary experience and expertise to provide services that he or she required. 5 As regards the ID Data, these were used by the Organisation for a few purposes. These included (i) applying for SkillsFuture grants for training programmes conducted for Members; (ii) facilitating arrangements for Members to gain access to secure locations when required (e.g. transit areas in airports); and (iii) verifying that the Members were qualified to provide transport services based on his or her driving and vocational licences. 6 The Organisation did not specify any requirements to its Vendor with respect to the storage and protection of Members’ personal data collected through the Website. The Website was launched on 1 October 2018. Since its launch, the Organisation has been managing the Website, with the Vendor’s role limited to ad-hoc technical assistance. 7 On 3 March 2019, the Commission received a complaint that there had been disclosure without consent of sensitive information of individuals, such as Singapore National Registration Identity Card (“NRIC”), Driving Licence and photographs, through links on the Website (the “Incident”). The Commission’s investigations revealed that a total of 111 unique 1 Members were affected by the Incident (the “Affected Members”)1. In this regard, the publicly accessible directories on the Website (“Web Directories”) were found to store images of identification documents set out below which contained ID Data of the Affected Members (the “Disclosed Data”): S/N. Type of Identification Document 1 Type of Personal Data in the Identification Document Number of Members Affected 1. Singapore National Registration Identity Card (“NRIC”) Name, NRIC number, photograph, thumbprint, address, date of birth, country of birth, race, gender and date of issue. 97 2. Singapore Armed Forces Identity Card Name, NRIC number/colour, 1 photograph, address, date of birth, country of birth, race, gender, blood group, service status and military rank status. 3. Vietnamese Identity Card Name, card number, photograph, date of birth, place of birth, place of residence, fingerprints, ethnic group, religion and date of issue. 1 4. Singapore Employment Name, photograph, occupation, Pass Foreign Identification Number, date of application, date of issue, date of expiry and employer. 1 5. Singapore Driving Licence Name, licence number (same as NRIC number), photograph, date of birth, classes of vehicles the individual is licensed to drive and each pass date and date of issue. 47 6. Singapore Vocational Licence Name, licence number (same as 16 NRIC number), photograph, date of issue and type and description of each vocational licence held, and their respective dates of issue. A Member could have uploaded images of more than one type of identification document on the Website. 2 8 It also emerged in the course of the Commission’s investigations that the Organisation had not appointed any data protection officer (“DPO”), and had not developed and put in place any data protection policies that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (the “PDPA”). 9 Following the Incident, the Organisation took the following remedial actions: (a) Appointed two DPOs; (b) With the assistance of its Vendor, disabled public access to the Web Directories and contacted Google to remove all cached images of the Disclosed Data; and (c) Developed a data protection policy. Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 10 As a preliminary point, the Organisation owned and managed the Website, and had possession and control over the Disclosed Data at all material times. While the Vendor had been engaged to develop the Website and subsequently provided technical assistance on an adhoc basis, the Vendor had not processed any personal data collected via the Website on the Organisation’s behalf. The Vendor was therefore not a data intermediary of the Organisation, and the Organisation was solely responsible for the protection of the Disclosed Data under the PDPA. 3 11 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 12 In this regard, the Commissioner found that the Organisation had failed to put in place reasonable security arrangements to protect the Disclosed Data for the following reasons. First, as mentioned at [6], the Organisation did not specify any requirements to its Vendor with respect to the storage and protection of personal data (including the ID Data) which was collected from Members through the Website. The Organisation had intended for the Website to have public profile pages for which Members’ Profile Data were displayed for public access, but at the same time ID Data was collected and to be used for administrative purposes like applying for training grants, facilitating access to secure location and verifying driving qualifications. Clear requirements could and should have been communicated to its Vendor that ID Data collected through the Website was not meant to be publicly accessible. This can be done by the Organisation from the perspective of the business owner of the Website, while relying on the Vendor to propose the technical implementation that will meet this business requirement. 13 The Commission’s investigations also revealed that security testing had never been conducted since the launch of the Website in October 2018. In this regard, the Organisation admitted that it failed to take into consideration the security arrangements of the Website due to its lack of experience. As observed in WTS Automotive Services Pte Ltd [2018] SGPDPC 26 at [24], while an organisation may not have the requisite level of technical expertise, a 4 responsible organisation would have made genuine attempts to give proper instructions to its service providers. The gravamen in the present case was the Organisation’s failure to do so. 14 The Commission’s Guide on Building Websites for SMEs (revised 10 July 2018) provides guidance on what is expected from organisations contracting professional services to build their corporate websites or other online portals. In particular, organisations that engage IT vendors to develop and/or maintain their websites should emphasize the need for personal data protection to their IT vendors, by making it part of their contractual terms.2 15 Secondly, and as observed in Re Tutor City [2019] SGPDPC 5 at [21] to [23], where documents containing personal data have to reside on web servers, folder or directory permissions are common and direct methods of controlling access and preventing unauthorised access by public users and web crawlers. Depending on its business needs and circumstances, the Organisation could have instructed the Vendor to implement any of the following reasonable technical security measures to protect the Disclosed ID Images: (a) place documents containing the Disclosed ID Images in a non-public folder/directory. (b) place documents containing the Disclosed ID Images in a non-public folder or directory, with access to these documents controlled through web applications on the server. (c) place documents containing the Disclosed ID Images in a sub-folder within the Public Directory but control access to files by creating a .htaccess file within that subfolder. This .htaccess file may specify the access restrictions (e.g. implement a password requirement or an IP address restriction). 2 Guide on Building Websites for SMEs (revised 10 July 2018) at [4.2.1] 5 16 In view of the above, the Commissioner found that the Organisation had contravened section 24 of the PDPA. Whether the Organisation was in breach of sections 11(3) and 12 of the PDPA 17 In relation to the Organisation’s failure to appoint a DPO and develop and implement any data protection policy, these are required under sections 11(3) and 12 respectively of the PDPA. In particular, section 11(3) requires organisations to designate one or more individuals (typically referred to as a DPO) to be responsible for ensuring that they comply with the PDPA. Section 12 of the PDPA requires organisations to (among other things): (a) develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under the PDPA; and (b) 18 communicate information about such policies to its staff. The importance of these requirements have been emphasised multiple times in previous decisions. For example, it is important for an organisation to documents its data protection policies and practices in writing as they serve to increase awareness and ensure accountability of the organisation’s obligations under the PDPA (Re Aviva Ltd [2017] SGPDPC 14 at [32]). Similarly, appointing a DPO is important in ensuring the proper implementation of an organisation’s data protection policies and practices, as well as compliance with the PDPA (see e.g. Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37]). 6 19 In the circumstances, the Organisation was clearly in breach of sections 11(3) and 12 of the PDPA. While it has since appointed DPOs, it has not yet developed written policies and practices necessary to ensure its compliance with the PDPA. Representations by the Organisation 20 In the course of settling this decision, the Organisation made representations on the amount of financial penalty which the Commissioner intended to impose, and requested that the financial penalty be paid in instalments. The Organisation raised the following factors for the Commissioner’s consideration: (a) The Organisation had limited funds in its bank account and does not have any tangible assets which may be sold to raise funds to pay the financial penalty; (b) The Organisation had been making losses in the preceding 3 months; and (c) The Organisation has been seeking funding assistance from the Singapore Tourism Board. 21 Having carefully considered the representations, the Commissioner has decided to maintain the financial penalty set out in [23(a)]. The matters raised by the Organisation in [20] are not additional mitigating factors that justify a reduction in the financial penalty. However, the Commissioner is agreeable to the Organisation’s request that the financial penalty be paid in instalments. 7 The Commissioner’s Directions 22 In determining the directions, if any, to be imposed on the Organisation under section 29 of the PDPA, the Commissioner took into account the following mitigating factors: (a) The Organisation was cooperative in the investigations and provided information promptly; (b) Upon being notified of the Incident, the Organisation took action to disable public access to the Web Directories, and notified its Members of the Incident; and (c) There was limited unauthorised access and disclosure of the Disclosed ID Images as the Web Directories had only been accessed a total of 6 times. 23 Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to: (a) Pay a financial penalty of $20,000 in 8 instalments by the due dates as set out below, failing which, the full outstanding amount shall become due and payable immediately and interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full: (i) 1st instalment of $2,500 on 1 February 2020; (ii) 2nd instalment of $2,500 on 1 March 2020; (iii) 3rd instalment of $2,500 on 1 April 2020; 8 (iv) 4th instalment of $2,500 on 1 May 2020; (v) 5th instalment of $2,500 on 1 June 2020; (vi) 6th instalment of $2,500 on 1 July 2020; (vii) 7th instalment of $2,500 on 1 August 2020; and (viii) 8th instalment of $2,500 on 1 September 2020. (b) Complete the following within 60 days from the date of this direction: (i) Review the security of the Website and implement appropriate security arrangements to protect the personal data in its possession or control; (ii) Put in place written internal policies and practices as required under section 12 of the PDPA; (iii) Develop and implement a training policy for employees of the Organisation handling personal data to be trained to be aware of, and to comply with the requirements of, the PDPA when handling personal data; and (iv) Require all existing employees to attend such training. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 9 ","Directions, Financial Penalty",00f2b94a482f683c070998c51833856ca9a1a01a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,116,116,1,952,"A financial penalty of S$5,000 was imposed on PeopleSearch for failing to put in place reasonable security arrangements to protect personal data of its clients. The incident resulted in the data being subjected to a ransomware attack.","[""Protection"", ""Financial Penalty""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---PeopleSearch-Pte-Ltd---261219.pdf,Protection,Breach of the Protection Obligation by PeopleSearch,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-peoplesearch,2020-01-09,"PeopleSearch Pte. Ltd. [2019] SGPDPC 47 PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 47 Case No DP-1903-B3521 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PeopleSearch Pte. Ltd. … Organisations DECISION 1 PeopleSearch Pte. Ltd. [2019] SGPDPC 47 PeopleSearch Pte. Ltd. [2019] SGPDPC 47 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3521 26 December 2019 Introduction 1 PeopleSearch Pte. Ltd. (the “Organisation”) is a subsidiary of a listed Singapore company (“Listed Company”) that provides professional recruitment and flexible staffing services in Asia. On 15 March 2019, the Listed Company notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack suffered by the Organisation on 1 to 2 March 2019, which resulted in the Organisation not being able to access its clients’ personal data (the “Incident”). Facts of the Case 2 At the material time, the Organisation had a business division that managed outsourced payroll for the Organisation’s clients. In order to do so, the Organisation used a payroll software installed in a server in a virtual machine environment (the “VM Server”). The Organisation’s clients would connect to the VM Server through remote desktop protocol to use the payroll software. All the information (including personal data) in the payroll software was stored in a database that was hosted in the VM Server. 3 At the time of the Incident, the database included the following personal data of 472 individuals employed by 2 of the Organisation’s clients1 (collectively, “Employee Data”): (a) Name; (b) NRIC number; (c) Residential address; The payroll information of the Organisation’s other clients had been migrated from the VM Server to another server. This was in preparation for the Organisation’s business division managing outsource payroll being incorporated into a separate legal entity. 1 2 PeopleSearch Pte. Ltd. 4 (d) Contact number; (e) Email address; (f) Bank account number; and (g) Salary details. [2019] SGPDPC 47 The database also included the following personal data of the employees’ next of kin (“Next of Kin Data”)2: 5 (a) Name; (b) Age; (c) Contact number; and (d) Relationship to the respective individual. Taking into consideration the individuals whose information were stored as Next of Kin Data, it is estimated that a total of 944 individuals (comprising the 472 individuals with Employee Data and 472 individuals with Next of Kin Data) were affected by the Incident (the “Affected Individuals”).3 6 The Organisation discovered the Incident on 4 March 2019 when a ransom note appeared when it attempted to access the VM Server. The ransom note informed the Organisation that its files had been encrypted, and required payment in Bitcoins in exchange for the decryption key. The Organisation refused to pay the ransom to the cyber-attacker and restored its business operations by using a backup of the VM Server as at 1 March 2019. 7 Upon discovery of the Incident, the Organisation promptly carried out the following remedial actions: 2 Some or all of the Next of Kin Data may also constitute Employee Data in that it may be data about the employee (namely, who is their next of kin) which may enable the employee to be identified. However, as the total number of Affected Individuals includes both the employees and their next of kin, the two sets of data are identified separately for the purposes of this Decision. 3 The Organisation was unable to provide the Commission with the number of individuals who were listed as “next of kin” in the payroll information of the 472 individuals as it was no longer in possession of the relevant customer data file. It is estimated that each of the 472 individuals would have provided Next of Kin Data of at least 1 individual. 3 PeopleSearch Pte. Ltd. (a) [2019] SGPDPC 47 Disabled remote desktop accounts and/or changed passwords to mitigate any risks relating to credentials; and (b) 8 Installed the latest windows server updates on the restored VM Server. Based on the Organisation’s internal investigations, there was no spike in the outgoing traffic logs from the VM Server at the time of the Incident. This suggested that the risk that Employee Data (including the Next of Kin Data) was exfiltrated by the cyber-attacker was immaterial. On 1 April 2019, the Organisation’s business division managing outsource payroll was incorporated into a separate legal entity and the VM Server was decommissioned. Findings and Basis for Determination Whether the Organisations had breached section 24 of the PDPA 9 It is undisputed that Employee Data and Next of Kin Data constitutes “personal data” as defined in section 2(1) of the Personal Data Protection Act 2012 (the “PDPA”). The Organisation had possession and/or control over the Employee Data and Next of Kin Data at all material times, and accepted its responsibility for protecting such data under the PDPA. While there may have been no exfiltration of the Employee Data, as mentioned at [8], there was unauthorised modification of the Employee Data as the ransomware rendered it inaccessible to the Organisation. 10 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. In assessing the standard of reasonable security arrangements required, I considered the fact that Employee Data included NRIC numbers and personal data of a financial nature (i.e. bank account numbers and salary details).4 When it comes to the protection of such personal data, there is a need to put in place stronger security measures because of the actual or potential harm, and the severity of such harm, that may befall an individual from an unauthorised use of such data.5 In my view, the Organisation failed to put in place reasonable security arrangements to protect the Employee Data and Next of Kin Data for the reasons explained below. 4 5 Re Aviva Ltd [2018] SGPDPC 4 at [17] Re Credit Counselling Singapore [2017] SGPDPC 18 at [25] 4 PeopleSearch Pte. Ltd. 11 [2019] SGPDPC 47 The Organisation admitted that it had not carried out any security scans, penetration testing or patching of the VM Server for at least 12 months preceding the Incident. According to the Organisation, its omission was due to a departure of an employee who was responsible for oversight of the VM Server. This explanation is not accepted. 12 As emphasized in previous decisions and the Commission’s Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017) at [16.3] and [16.4], regular security testing and patching of IT systems are important security measures that organisations should implement to guard against a possible intrusion or attack.6 The Organisation’s failure to have any process in place to ensure regular security testing and patching of the VM Server resulted in a system that had vulnerabilities and gaps that were exploited by the attacker in planting the ransomware to encrypt the Employee Data. In view of the fact that the VM Server stored personal data of a sensitive nature, this fell far short of the standard of protection required. In the circumstances, I find the Organisation in breach of Section 24 of the PDPA. 13 Nevertheless, I note that the Organisation had a good practice of having regular backups of the VM Server. This significantly mitigated the impact of the Incident on the Organisation’s business operations. The Organisation was able to restore the VM Server from a backup as at 1 March 2019, and only lost access to the Employee Data for approximately 2 days from 2 March 2019 to 4 March 2019. 14 In today’s digital age where organisations store information (including personal data) online and move towards a paperless future, it is critically important that they have processes in place to backup their data at frequent and regular intervals. The failure to do so may result in crippling consequences to an organisation’s business operations in the event of a cyberattack. In this case, the Organisation’s good practice of having regular backups is a strong mitigating factor that I have taken into account in determining the quantum of financial penalty to impose. 6 See for example Re Genki Sushi Singapore Pte Ltd [2019] SGPDPC 26 at [20] and [21] 5 PeopleSearch Pte. Ltd. [2019] SGPDPC 47 The Deputy Commissioner’s Directions 15 Having found the Organisation in breach of section 24 of the PDPA, I took into account the following mitigating factors in determining the directions to be imposed on the Organisation: (a) the Organisation’s regular backup process of the VM Server which significantly mitigated the impact of Incident as discussed at [13] and [14]; (b) The Organisation’s prompt actions to mitigate the effects of the Incident and prevent recurrence of a similar breach; (c) The Organisation’s full cooperation with the Commission’s investigations; (d) There did not appear to be any exfiltration of Employee Data from the VM Server; and (e) The Commission did not receive any complaints about the Incident and there was no indication that the Incident caused harm to the Affected Individuals. 16 Having considered all the relevant facts and circumstances of this case, I hereby direct the Organisation to pay a financial penalty of $5,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 6 ",Financial Penalty,c4a52d4f14229d8cac99db0327d1480633fb17ae,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,117,117,1,952,"A financial penalty of $6,000 was imposed on National Healthcare Group for failing to put in place reasonable security arrangements to protect a list containing the personal data of partner doctors and members of the public from being publicly accessible online.","[""Protection"", ""Financial Penalty"", ""Healthcare""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---National-Healthcare-Group-Pte-Ltd---261219.pdf,Protection,Breach of the Protection Obligation by National Healthcare Group,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-national-healthcare-group,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 46 Case No DP-1802-B1703 and DP-1802-B1765 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And National Healthcare Group Pte Ltd … Organisation DECISION National Healthcare Group Pte Ltd [2019] SGPDPC 46 National Healthcare Group Pte Ltd [2019] SGPDPC 46 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1703 and DP1802-B1765 26 December 2019 Introduction 1 On 10 February 2018, the National Healthcare Group Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) about a complaint it had received in relation to a list containing personal information of partner doctors of the Organisation (the “List”) which was accessible on the Internet (the “Incident”). Subsequently, on 28 February 2018, the Commission received a separate complaint over the Incident. Facts of the Case 2 On 17 March 2015, the Organisation awarded a developer (“Website Developer”) a contract to develop its website (the “Website”). The Organisation specified the Website’s functional requirements and contents. A company specialising in IT services (“IT Services Provider”) provided the Organisation with IT support. In this regard, the IT Services Provider ensured that the IT specifications of the Organisation were complied with by the Web Developer, which included coordinating and verifying bug fixes and remedies 2 National Healthcare Group Pte Ltd [2019] SGPDPC 46 of security vulnerabilities implemented by the Web Developer. During the process of developing the Website, a section for restricting access to the Website (including the List) was not included in a web configuration file. 1 The Organisation, Website Developer and IT Services Provider signed off on the Website’s functional requirements specification, user acceptance test cases, and website commissioning. The relevant web configuration file was not examined before the Website went “live” in December 2015. 3 Around June or July 2016, a vendor (the “Vendor”) was engaged to conduct a penetration test of the Website. The penetration test report (the “Penetration Test Report”) highlighted the unrestricted access to the List through the Internet as a vulnerability. The Penetration Test Report also recommended the remedy, which was to ensure that the authorisation rules be configured to restrict Internet access to authorised users only. 4 On 7 February 2018, a general practitioner (“GP”), who had signed up to be a partner doctor of the Organisation, found the List through a Google search of her name and notified the Organisation. The List contained personal information of 129 GPs who had registered to be partner doctors of the Organisation via an online form on the Website (“NHG Partners”), and personal information of 5 members of public which were generated when they submitted feedback on the Website. 1 Web configuration files determine the way a website or directory on a website behaves. Web configuration files placed in the root directory of a website will affect the behavior of the entire site. 3 National Healthcare Group Pte Ltd 5 [2019] SGPDPC 46 The types of information contained in the List (collectively, the “Disclosed Data”) include: (a) With respect to the 129 GPs: (i) their full names (128 GPs), mobile numbers (111 GPs), mailing address (14 GPs), email address (117 GPs) and clinic address (115 GPs) (collectively, “GP’s Contact Information”); (ii) Singapore Medical Council (“SMC”) registration numbers of 129 GPs (“GP’s Registration Numbers”); and (iii) NRIC numbers (111 GPs), dates of birth (112 GPs) and photographs (41 GPs) (collectively, “GP’s Other Data”). (b) With respect to the 5 non-GPs, full names and email addresses, as well as mobile numbers of 3 of them (“Other Individual’s Data”). 6 Upon being notified of the Incident on 7 February 2018, the Organisation promptly carried out the following remedial actions: (a) On 8 February 2018, the Organisation took the Website offline, as well as found and fixed the cause of the Incident; (b) The Organisation sent several requests to Google to remove cached copies of the List indexed from 9 to 13 February 2018. From 21 February 2018, the Organisation performed daily Google searches on the 129 affected records until the cached links could no longer be found on 5 March 2018. Thereafter, the Organisation conducted periodic Google searches until 8 May 2018; and 4 National Healthcare Group Pte Ltd (c) [2019] SGPDPC 46 From 19 February 2018 to 6 March 2018, the Organisation contacted all affected GPs to inform them of the Incident. 7 In addition, to prevent a recurrence of a similar Incident, the Organisation has also adopted the following practices: (a) Two additional checks at front-end publishing site for SharePoint websites will be carried out during user acceptance test and prior to going “live”: (i) The project manager would check for configuration which controls publishing of “visible” pages (lists) after the vendor submits the web configuration prior to the deployment; and (ii) The test script would include testing of authorised access to the relevant web pages. The web pages would also generally be tested to ensure non-public web pages cannot be accessed by non-authorised users. (b) Performing penetration tests prior to websites going “live”. Findings and Basis for Determination Whether the Protection Obligation under Section 24 of the PDPA applies to the Disclosed Data 8 While the Disclosed Data is personal data as defined in section 2(1) of the Personal Data Protection Act 2012 (“PDPA”), the Protection Obligation under section 24 did not apply to the following 2 categories of Disclosed Data – GP’s Contact Information and GP’s Registration Numbers. 5 National Healthcare Group Pte Ltd 9 [2019] SGPDPC 46 In relation to GP’s Contact Information, pursuant to section 4(5) of the PDPA, Parts III to VI of the PDPA do not apply to business contact information. GP’s Contact Information falls within the definition of “business contact information” as defined in section 2(1) of the PDPA because it was provided by the GPs to the Organisation for the purposes of registration as NHG Partners, and as a means of contacting them in their professional capacity. 10 In relation to GP’s Registration Numbers, the same information is generally available to the public on the SMC website and hence it is “publicly available” as defined in section 2(1) of the PDPA. The raison d’etre for making such information available is to assist in the identification of licensed medical practitioners and the nature of their qualification and practice. The register of medical practitioners is maintained by the Singapore Medical Council under section 19 of the Medical Registration Act. It is maintained as multiple lists, i.e., locally-trained doctors, international medical graduates, provisional, conditional, temporary or full registrations, as well as specialist registration and family physician registration. This information enables an inquisitive patient to verify the nature of medical practice that a physician is permitted to practice. To my mind, this is information that falls under the “other similar information about the individual” limb of the definition of business contact information as it assists in the identification of the medical practitioner to whom the business contact information relates. 11 In the circumstances, the Protection Obligation only applied to GP’s Other Data and Other Individual’s Data (collectively, the “Disclosed Personal Data”). Whether the Organisation had breached the Protection Obligation under section 24 of the PDPA 6 National Healthcare Group Pte Ltd 12 [2019] SGPDPC 46 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 13 As a preliminary point, the Organisation owned the Website and had possession and control over the Disclosed Personal Data at all material times. While the Website Developer was engaged to develop the Website and the IT Services Provider provided IT support to the Organisation (including maintenance and technical support for the Website), the investigations revealed that neither of these parties processed the Disclosed Personal Data on the Organisation’s behalf with respect to the Website. The IT Service Provider and Website Developer were accordingly not data intermediaries with respect to the operation of the Website, and the Organisation was solely responsible for the protection of the Disclosed Personal Data. 14 Based on the investigations, the Organisation had failed to put in place reasonable security arrangements to protect the Disclosed Personal Data as explained below. 15 The Penetration Test Report expressly pointed out that web services could be used to access SharePoint data (which included the List containing the Disclosed Personal Data) via the Internet and recommended that this vulnerability be remediated by reconfiguring the web configuration to restrict access to authorised users only. The Penetration Test Report was issued more than a year prior to the Incident. This was more than sufficient time for the Organisation to remedy the vulnerability which caused the Incident. 7 National Healthcare Group Pte Ltd 16 [2019] SGPDPC 46 According to the Organisation, the vulnerability was inadvertently left unfixed as it was not sufficiently highlighted by the Vendor in the Penetration Test Report. This was an unsatisfactory excuse. First, the relevant findings and recommendations were the first item in the Penetration Test Report. Second, they were expressed in terms that no technical expertise was required for their significance to be understood. If the Organisation did not understand the findings and/or recommendations, it should have consulted the Vendor for clarifications. 17 The Organisation also asserted that it had relied on IT Services Provider and Website Developer to act on any issues identified in the Penetration Test Report. It should be reiterated that while an organisation may delegate work to vendors to comply with the PDPA, the organisation’s responsibility for complying with its statutory obligations under the PDPA may not be delegated.2 In this case, the Organisation failed to exercise reasonable oversight with respect to the review of the Penetration Test Report and rectification of the vulnerabilities of its Website. Representations by the Organisation 18 In the course of settling this decision, the Organisation made representations and asked that a warning to be imposed in lieu of a financial penalty. The Organisation raised the following factors in its representations: (a) As the appointed public healthcare shared services provider, the IT Services Provider was responsible for the overall management, 2 See WTS Automobile Services Pte Ltd [2018] SGPDPC 26 at [14] and [23]. 8 National Healthcare Group Pte Ltd [2019] SGPDPC 46 deployment and maintenance of the Organisation’s IT systems, including the Website. Similar to the facts of Re Singapore Health Services Pte Ltd & Ors [2019] PDPC 3, the IT Services Provider’s staff was deployed to the Organisation to support day-to-day operations and provide technical support. As there was no IT staff employed by the Organisation, it had to rely on the technical expertise provided by the IT Services Provider. In particular, the Chief Information Officer (“CIO”) and Cluster Information Security Officer (“CISO”) for the Organisation was employed by the IT Services Provider and seconded to the Organisation; (b) The IT Services Provider was a data intermediary. The Website’s database was hosted on the Healthcare Data Centre (H-Cloud) network which was (and is still) operated, maintained and managed by the IT Services Provider; (c) The IT Services Provider was in charge of the penetration test, as well as coordinating and deploying the fixes. The vulnerability on the Website that caused the Incident was not highlighted to the Organisation; and (d) The Disclosed Personal Data was not medical data, and therefore not personal data of a particularly sensitive nature which should be accorded a higher standard of protection. 19 Having considered the representations, I have decided to maintain the financial penalty set out in [21] for the following reasons: (a) While the IT Services Provider’s staff deployed to fill the CIO and CISO role may have been employed by the IT Services Provider, to 9 National Healthcare Group Pte Ltd [2019] SGPDPC 46 the extent that they were carrying out the functions of the Organisation’s CIO and CISO in accordance to the terms of their secondment, they were acting on behalf of the Organisation. As such, I find that their actions should be attributed to the Organisation and not the IT Services Provider; (b) The Incident did not arise from a compromise of the Healthcare Data Centre (H-Cloud) network that hosted the Website’s database. Instead, and as mentioned at [2], the cause of the Incident was that a section for restricting access to the Website (including the List) was not included in a web configuration file. While the IT Services Provider provided technical support for the Website, it did not process the Disclosed Personal Data through the Website. The IT Services Provider was accordingly not a data intermediary with respect to operation of the Website; (c) As explained at [15] to [17], the Organisation failed to exercise reasonable oversight with respect to review of the Penetration Test Report and rectification of vulnerabilities of the Website. In this regard, the Penetration Test Report had expressly pointed out that web services could be used to access SharePoint data (which included the List containing the Disclosed Personal Data) and recommended that this vulnerability be remediated by reconfiguring the web configuration to restrict access to authorised users only; and (d) The fact that the Disclosed Personal Data was not medical data had already been taken into account in the quantum of financial penalty set out in [21], which would have been higher if the Disclosed Personal Data had been of a more sensitive nature, such as medical data. 10 National Healthcare Group Pte Ltd [2019] SGPDPC 46 Directions 20 In determining the directions, if any, to be imposed on the Organisation under section 29 of the PDPA, I took into account the following mitigating factors: (a) the Organisation took prompt remedial actions following the Incident as set out in [6] and [7]; (b) the Organisation was fully cooperative during the investigations; (c) the Organisation took immediate steps to notify the affected individuals of the Incident; and (d) there was unauthorised disclosure to one individual and no modification or exfiltration of the Disclosed Personal Data. 21 Having considered all the relevant factors of this case, I hereby direct the Organisation to pay a financial penalty of $6,000 within 30 days from the date of the directions, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. I have not set out any further directions for the Organisation given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Financial Penalty,29d3c0d5771aa5ddfea72dcff51a0ef0c5dde45a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,118,118,1,952,"Directions, including a financial penalty of $10,000, were imposed on SAFRA for failing to put in place reasonable security arrangements to protect the personal data of the members of its Shooting Club. SAFRA was also directed to review its internal processes to put in place process safeguards and written internal standard operating procedures to protect the personal data of its members.","[""Protection"", ""Directions"", ""Financial Penalty""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SAFRA---161219.pdf,Protection,Breach of the Protection Obligation by SAFRA National Service Association,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-obligation-by-safra-national-service-association,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 45 Case No DP-1809-B2711 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SAFRA National Service Association … Organisation DECISION 1 SAFRA National Service Association [2019] SGPDPC 45 Yeong Zee Kin, Deputy Commissioner — Case No DP-1809-B2711 16 December 2019 Facts of the Case 1 On 13 September 2018, the Personal Data Protection Commission (the “Commission”) received a voluntary breach notification from SAFRA National Service Association (the “Organisation”). An employee of the Organisation (the “Employee”) who had sent out two separate batches of e-mails attaching an Excel spreadsheet (the “Spreadsheet”) containing the personal data of certain members of the Organisation’s shooting club (the “SSC”) to other members (the “Incident”). 2 According to the Employee, his job scope included sending mass e-mails to SSC members. He has been sending such e-mails since September 2016 at least once a month. According to him, he was not aware of any SOPs for sending of such mass emails. The Employee claims that his supervisor had instructed him verbally on the process. First, prepare proposed e-mail, and attach a spreadsheet containing intended recipients’ e-mail addresses extracted from another internal system. Next, send this draft email from his individual work email account to the official SSC e-mail account. Thereafter, copy the intended recipients’ emails addresses into the draft email, and delete the attached spreadsheet, before sending out the mass email. This is the process that the Employee has been following whenever he sends mass e-mails to SSC members, as was the case during the Incident. 3 The Organisation claims that it was not aware of this process for mass e-mails. However, its staff were briefed on the practice of using the bcc function when sending mass emails and were verbally instructed to “check and ensure that no unnecessary information or document (including those which contain personal data) has been enclosed before sending an email to members”. 4 The Incident occurred on 9 September 2018. The Employee followed this procedure to publicise an upcoming event. After copying the e-mail addresses from the Spreadsheet and pasting it in the bcc field of the e-mail, the Employee tried to delete the Spreadsheet. He was 2 prompted by the webmail that “the attachment could not be removed and to try again”. This was the first time he encountered such an error message. The Employee claims that upon trying to delete the Spreadsheet again, “the Spreadsheet disappeared from the email draft” and he proceeded to send the first batch of mass e-mails. The same thing happened for the second batch of mass e-mails sent by the Employee. According to the Employee, he was notified by an SSC member right after sending the second batch of mass e-mails that the Spreadsheet had been attached to the mass e-mails. Upon checking the “Sent Items” folder on the SSC e-mail account, he realised that the Spreadsheet was attached in the sent e-mails. 5 The Incident resulted in the Spreadsheet containing the personal data of 780 SSC members being sent to 491 SSC members. The types of personal data in the Spreadsheet (the “Personal Data”) included the following: 6 (a) Name; (b) NRIC number; (c) Date of birth; (d) Address; (e) Telephone number; and (f) E-mail address. Upon being notified of the Incident, the Organisation took the following remedial actions: (a) Completed the masking of members’ NRIC number in its internal systems and reports, which it was in the process of undertaking; (b) Circulated the Commission’s guidelines on Personal Data Protection Act 2012 (the “PDPA”) with reminders to be mindful when handling personal data; (c) Notified all affected SSC members about the Incident via e-mail and SMS, and provided an e-mail address and phone number for members to contact for any queries on the Incident; 3 (d) Put up an announcement on the Organisation’s website regarding the Incident; (e) Set up an incident response team and incident management hotline and prepared an FAQ for its frontline staff; and (f) Followed up with phone calls to the SSC members who received the Spreadsheet to delete the attachment. Findings and Basis for Determination 7 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (“Protection Obligation”). 8 As a preliminary point, the Organisation alleges that it had replicated the steps taken by the Employee to confirm whether or not the Employee’s version of events was accurate. The Organisation claimed that, in replicating these steps, it had similarly encountered the issue as set out in paragraph 4 above. When the Commission requested for evidence of the tests conducted, the Organisation provided some screenshots of emails with attachments, and stated that the test results were not saved, although “[the investigation team] had witnessed [the test] but no screen shot or video recording was made”. However, these screenshots were inconclusive in demonstrating that the Organisation managed to replicate the issues. As part of its investigations, the Commission contacted the Organisation’s webmail software service provider who informed that it had not encountered such an issue nor had it encountered or received any enquiry on such an issue from users of its webmail software at the material time. On a balance of probabilities, based on a review of the evidence before me, I am unconvinced that there was a software glitch. It is more likely that the Employee had simply failed to delete the attached Spreadsheet prior to sending the emails out. 9 The key issue in this case revolves around the practice adopted by the Organisation for sending mass e-mails. The Organisation’s method of drafting the mass e-mail using the individual work e-mail address of the relevant employee and then sending it to the official SSC e-mail address with the Spreadsheet attached gave rise to the risk of accidental disclosure of the Personal Data in the Spreadsheet. Manual processes such as this give rise to risks of human 4 error. Having in mind that this is a task that the Employee had to perform at least once a month, and the fact that the Organisation had already digitized its membership records, the task could have been partially automated. There are readily available technical solutions like mail-merge functions or the creation of frequently used mailing lists. The Commission’s Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data (published 20 January 2017) states (at [2.1]) that organisations may implement automated processing of documents or communications containing personal data (e.g. merging content or populating fields from various sources) to ensure destination information is correct. Organisations are also reminded to ensure the accuracy and reliability of the automated processing implemented by checking these systems and processes regularly. 10 Further, the Guide on Printing Processes for Organisations (published 3 May 2018) also provides guidance (at page 11) on how organisations may use Mail Merge when emailing to ensure the accuracy of the list of intended recipients and the corresponding merged fields in the email. 11 Additionally, the Organisation was unaware of this manual process that its Employee had been using since September 2016 (and potentially earlier, by other employees or by his supervisor) to send out mass e-mails. As stated in [3], the Organisation claimed that it had given certain verbal instructions to its staff on data protection handling practices pertaining to e-mail correspondence. In general, verbal instructions are insufficient as employees would be unable to refer to them in the course of their duties and may very well be unable to recall such instructions after some time. For a regular and perhaps even frequent task like the present monthly mass e-mail to members to publicise upcoming events, the Organisation should have a properly documented process and consider the use of process automation tools. 12 In light of the foregoing, I am satisfied that the Organisation had contravened section 24 of the PDPA. 13 The Organisation informed the Commission after the preliminary Decision in this matter was issued to the Organisation that the following measures have since been put in place: (a) Mass emails will no longer be sent using the Organisation’s generic email account and will only be sent out by a designated Executive or authorised personnel approved by the Club Manager using his or her individual work email account; 5 (b) The downloading of the list of members from the Organisation’s system will be carried out by the Executive personally; (c) The categories of personal data in the list of members that may be downloaded from the system has been reduced; (d) The frequency of mass emails to update members on programmes and events will be reduced from monthly to bi-monthly or quarterly; (e) All new staff will undergo an orientation programme on the operations of the shooting club within the 1st week of joining and only selected staff will be allowed to handle email updates and will also be trained within the 1st week of joining the club; (f) More stringent access controls to the Organisation’s databases have been implemented; (g) The 1st 5 characters of members’ NRIC numbers are masked in the Organisation’s internal systems; (h) The IT Policy has been updated to include guidelines for the protection, encryption and sharing of the Organisation’s database. As part of this update, databases are to be encrypted or password protected before they are shared and may only be shared with the written consent of a Head of Department or custodian; and (i) 14 Training has been provided to staff on data handling. The Organisation also informed that it was in the midst of enhancing its existing system to automate the sending of mass emails. The Organisation asked for an extension of the timeframe for implementation of the second direction set out in the next section. The Deputy Commission has decided to accede to the Organisation’s request and has lengthened the timeframe to the period set out below. The Deputy Commissioner’s Directions 15 In determining the directions to be imposed on the Organisation under section 29 of the PDPA, I took into account the following mitigating factors: (a) the Organisation voluntarily notified the Commission of the Incident; 6 (b) the Organisation was cooperative and had provided prompt responses to the Commission’s requests for information; (c) the Organisation implemented remedial actions swiftly to address the Incident; and (d) there was no evidence of any further unauthorised use of the Personal Data in the Spreadsheet. 16 Having carefully considered all the relevant factors of this case, I hereby direct the Organisation: (a) to pay a financial penalty of $10,000 within 30 days of the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full; and (b) to conduct a review of its email system and processes to put in place process safeguards and written internal standard operating procedures to protect the personal data of its members within 120 days of the date of this direction. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 7 ","Directions, Financial Penalty",010708766ce21b512c280cfe9da288cff633f350,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,119,119,1,952,"A financial penalty of $34,000 was imposed on Globalsign.in for failing to put in place reasonable security arrangements to protect the personal data supplied by its clients. Globalsign.in, which sends mass marketing emails on behalf of its clients to their respective customers, was also found to be holding personal data which was no longer necessary for legal or business purposes.","[""Protection"", ""Retention Limitation"", ""Financial Penalty""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--MSIG-Insurance-Singapore-Pte-Ltd--191119.pdf,"Protection, Retention Limitation",Breach of the Protection and Retention Obligations by Globalsign.in Pte Ltd,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-retention-obligations-by-globalsignin-pte-ltd,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 43 Case Nos. DP-1708-B1066; DP-1708-B1086 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) (2) MSIG Insurance (Singapore) Pte Ltd Globalsign.in Pte Ltd …Organisation(s) DECISION Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 (1) MSIG Insurance (Singapore) Pte Ltd (2) Globalsign.in Pte Ltd [2019] SGPDPC 43 Mr Tan Kiat How, Commissioner – Case Nos. DP-1708-B1066; DP-1708-B1086 19 November 2019 Introduction and Material Facts 1. MSIG Insurance (Singapore) Pte Ltd (“MSIG”) notified the Personal Data Protection Commission (the “Commission”) on 22 August 2017 that the mass emailing system of its service provider, Globalsign.in Pte Ltd’s (“GSI”), had been accessed without authorisation and used to send spam emails (the “Incident”) to 149,172 email addresses which belonged to MSIG’s customers (“Impacted Customers”). 2. GSI runs and hosts an email marketing platform known as “Global2Mail Online Marketing Web Application” (the “G2M” platform). GSI uses the G2M platform to send mass marketing emails to email addresses supplied by its clients. 3. MSIG, an insurance provider, had engaged GSI to send marketing emails to its customers via the G2M platform. For this purpose, MSIG and GSI had entered into an agreement dated 1 October 2013. An addendum to the said agreement was entered into on 16 May 2014 to take into consideration the obligations of both organisations under the Personal Data Protection Act 2012 (the “PDPA”). GSI’s services were renewed by MSIG, with MSIG and GSI entering into a new agreement on 1 August 2017 (the “Agreements”). 4. MSIG provided GSI with a list of email addresses of its customers each time an email marketing campaign was launched. For some of the email addresses, MSIG also provided the first and last names to GSI and these would be captured in the G2M platform. According to MSIG, the email addresses and names (where applicable) provided to GSI were password-protected. 2 Re MSIG Insurance (Singapore) and another 5. [2019] SGPDPC 43 Although no specific retention period for the email addresses provided by MSIG to GSI was stated in the Agreements, MSIG required GSI to delete and purge the email addresses and other personal data from its server after each marketing campaign. This is seen from emails sent by MSIG to GSI on 9 December 2016, 30 May 2017 and 5 June 2017 where MSIG asked GSI to confirm that it had purged the email addresses which had been provided by MSIG to GSI for specific marketing campaigns. 6. On 18 August 2017, the administrator account of the G2M platform was accessed without authorisation. By accessing the administrator account, the intruder was also able to access the email addresses and, in certain instances, names of individuals (the “Compromised Data”) that were stored on the G2M platform. 7. On 19 August 2017, the G2M platform sent spam emails to 359,364 email addresses that were stored on the G2M platform (the “Spam Emails”). 149,172 of these email addresses were email addresses of MSIG’s Impacted Customers (which MSIG had provided to GSI) and 201,192 were email addresses of customers (“Other Impacted Individuals”) provided to GSI by three of GSI’s other clients for use with the G2M platform. Each of the Spam Emails: (a) purported to provide tips on how to win a lottery; (b) contained a link under “clickbank.net” that redirected its users to a video on “lotterydominator.com”; (c) appeared be sent from “MSIG Insurance” with the address “service@sg.msigasia.com”; 8. (d) was only sent to one email address; and (e) contained no other personal data other than the email address of the recipient. After MSIG informed the Commission about the Incident on 22 August 2017, MSIG and GSI jointly engaged a cyber-security consultancy to investigate into the data breach. 9. The cyber-security consultancy’s investigations concluded that the Spam Emails did not contain phishing or malware content. It would appear that the end users who clicked on the links in the Spam Emails were simply redirected to the video on the “lotterydominator.com” website and there were no complaints from the users of any further negative consequences from clicking the links. 10. MSIG took the following remedial action after the Incident: 3 Re MSIG Insurance (Singapore) and another (a) [2019] SGPDPC 43 On 21 August 2017, MSIG posted an alert on the Spam Emails on its corporate website and Facebook page. (b) On 22 August 2017, MSIG instructed GSI to purge all email addresses and names of its customers in GSI’s database, save for those customers that were affected, as they wanted to send out an apology email; (c) FAQs were included from 28 August 2017. MSIG also instructed GSI to deactivate its email account service@sg.msig-asia.com which had been used to send the Spam Emails; (d) On 24 August 2017, MSIG worked with GSI on an email sent by the latter to all 149,172 affected MSIG customers to apologise for the breach. The email included instructions on removing any malware from the link in the Spam Email. It provided a point of contact for any queries. MSIG instructed GSI to purge the email addresses and names of its affected customers thereafter. 11. Between 21 to 30 August 2017, MSIG addressed queries from 92 customers who had been affected by the Incident. 12. Separately, GSI took the following remedial action after the Incident: (a) Blocked the Spam Email link at server level to prevent recipients being re-directed to the site; (b) Immediately disabled the compromised administrator account to ensure no data would be exported and subsequently restored the account after putting in place additional security measures; (c) Changed password to the administrator account before restoring the account and implemented two-factor authentication (2FA) for all accounts whereby users would have to key in a one-time password sent either sent to their mobile number by SMS or Google Authenticator Application; (d) Transferred the application database to a new server, hosted in Amazon Web Services in Singapore in an encrypted database; (e) Enforced HTTPS so that all traffic from end-users to GSI’s website would be encrypted; (f) Improved logging of access, whereby I.P. addresses used to access G2M would be properly logged at application server level, and added logging of web attacks that had been blocked by the server firewall; and (g) Engaged a consulting company to assist GSI in implementing policies that meet the ISO 27001 standards. 4 Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 Findings and Basis for Determination Whether the Compromised Data included Personal Data 13. The personal data found in the Compromised Data included (i) the first and last names of some MSIG customers, (ii) the email addresses of those customers (i.e. which were stored with the names of the customers) and (iii) the email addresses of other customers which contained their full or partial names (the “Compromised Personal Data”). In relation to the latter set of email addresses, as set out in Re Credit Counselling [2017] SGPDPC 18 at [9], email addresses are personal data if they disclose the full name or partial name of individuals which allows for the identification of such individuals. 14. The Compromised Data also included other email addresses which were not linked to, or did not contain, the name of the customer (“Other Email Addresses”). It was also noted in Re Credit Counselling (at [10]) that an email address coupled with other information which enables identification of an individual, such as information obtained from a search on the Internet, is personal data. Whether MSIG or GSI had breached section 24 of the PDPA 15. The main issue in this case is whether MSIG and GSI had done enough to protect the Compromised Personal Data which was in their possession or under their control. Section 24 of the PDPA requires organisations to make reasonable security arrangements to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks. 16. As MSIG had provided the personal data relating to MSIG’s Impacted Customers to GSI in order to make use of the G2M platform for its purposes, both MSIG and GSI are required to comply with section 24 of the PDPA. However, the scope of their respective obligations under that section differs. In addition, GSI would be required to comply with section 24 in respect of all Compromised Personal Data (that is, personal data relating to MSIG’s Impacted Customers and the Other Impacted Customers). 17. In relation to MSIG, as they had engaged GSI to send marketing emails using the G2M platform, the scope of their obligations would relate to the arrangements MSIG 5 Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 established in order to ensure that GSI protected the personal data in the G2M platform. In respect of MSIG, the Commissioner found that MSIG had complied with its obligations under section 24 of the PDPA for the following reasons: (a) MSIG imposed security requirements on GSI under the Agreements to protect personal data. An express clause in the Agreements provides that GSI shall “implement sufficient and appropriate measures to guard against accidental or unauthorised access, collection, use, disclosure, misuse, loss, destruction, deletion, alteration, modification and processing of the Personal Data”; (b) MSIG also had the right under the Agreements to inspect and audit GSI; and (c) There was evidence that MSIG followed through with these contractual obligations with operational processes, for example, there were emails showing that MSIG required GSI to purge the personal data it provided after each marketing campaign. In this regard, MSIG had sent emails to GSI on at least three separate occasions between December 2016 and June 2017 asking GSI to purge email addresses provided by MSIG from its system. 18. In relation to GSI, as GSI was operating the G2M platform, it was required to put in place reasonable security arrangements in the form of technical or administrative measures to protect the personal data in the G2M platform. In this regard, the Commissioner found that GSI had not made the appropriate security arrangements and was therefore in contravention of section 24 of the PDPA for the following reasons: (a) GSI had not implemented administrative or technical measures to require a regular change to the passwords to its administrator and client accounts in the G2M platform. In addition, GSI recognised that there was a risk that if accounts of staff who had left the employment of GSI were not disabled, these former staff may continue to have access to its applications. The need for an effective password expiry mechanism has been discussed in past decisions such as Re Orchard Turn Developments Pte Ltd [2017] SGPDPC 12; (b) When the administrator account changed hands, there were no logs to record the fact that passwords had been changed; (c) Users were encouraged to choose strong passwords but GSI did not enforce any password strength requirements. The need for strong passwords is discussed in Re Singhealth and anor [2019] SGPDPC 3; (d) All the users of the administrator account shared the same administrator account and the same set of login credentials. This made it difficult to determine which staff had accessed the account or identify who had made changes to the system 6 Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 during each log-in session. Re Orchard Turn Developments Pte. Ltd. [2017] SGPDPC 12 explains why the sharing of administrator account credentials can give rise to an increased risk of data breaches; (e) It was found that no security scans were carried out over the 12 months before the Incident. Security scans are important in light of the type of personal data likely to be held by MSIG as an insurer. In Re Courts (Singapore) Pte Ltd [2019] SGPDPC 4, the Respondent’s lack of regular testing and scanning for security issues were taken into account as factors to find a breach of section 24 of the PDPA. (f) GSI claimed that it had complied with MSIG’s express instructions to “delete and purge the data after each marketing campaign”. However, this cannot be true as the G2M platform still retained at least 149,172 email addresses provided by MSIG which had been used in this Incident. Whether GSI had complied with section 25 of the PDPA 19. As noted above, it appeared that GSI had not deleted 149,172 email addresses provided by MSIG after the relevant marketing campaigns were completed and notwithstanding email reminders from MSIG. Section 25 of the PDPA requires an organisation to cease retaining documents containing personal data, or to remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that: (a) The purpose for which that personal data was collected is no longer being served by retention of the personal data; and (b) 20. Retention is no longer necessary for legal or business purposes. As GSI was required to delete email addresses provided by MSIG once the relevant marketing campaigns were completed, GSI ipso facto ceased to have any purpose for retaining the email addresses in the G2M platform once the relevant marketing campaigns were completed. Accordingly, the Commissioner found that GSI was in contravention of section 25 of the PDPA. GSI’s Representations 21. After the Commissioner’s preliminary decision was issued to MSIG and GSI, GSI submitted representations in relation to the quantum of financial penalty which the Commissioner proposed to impose in relation to its breach of section 24 of the PDPA 7 Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 and against the Commissioner’s determination that it had breached section 25 of the PDPA. However, GSI did not disagree with, or make any representations relating to, the Commissioner’s findings that it had breached section 24 of the PDPA. 22. First, GSI raised the following points as to why certain numbers of email addresses should not be taken into consideration in determining the number of affected individuals: (a) 4,488 of the email addresses which were stored on the G2M platform and which received the Spam Emails did not include the name or any other identifier of the individuals; (b) approximately 12,000 Spam Emails sent to the email addresses stored on the G2M platform had bounced; (c) approximately 145,338 Spam Emails were sent to GSI’s overseas based clients; and (d) Only 18,113 recipients opened the Spam Emails and, of these, only 339 recipients clicked on the link contained within the Spam Emails. 23. In relation to sub-paragraph (a) above, the Commissioner accepts GSI’s representation and has taken the reduced number of impacted individuals into account in determining the financial penalty quantum specified below. In relation to (b), the fact that the Spam Emails bounced is not conclusive that the email addresses were invalid as the emails may have bounced due to other reasons, such as the recipient’s email inbox being full at that time. In relation to (c), GSI is required to protect personal data in its possession or under its control and it is immaterial whether the relevant individuals were resident in Singapore or overseas. Finally, in relation to (d), it has already been taken into account that there was no harm suffered by the recipients (see paragraph 32 below) and the Organisation’s point at (d) above does not provide further mitigation of the Organisation’s breach 24. Secondly, GSI represented that MSIG had access to the G2M platform and could exercise functions such as verifying the content of the platform, creating and sending out email campaigns and deleting content and emails. However, the fact that MSIG had access to the G2M platform does not absolve GSI from its obligations under the PDPA. The fact remains that MSIG had engaged GSI to send marketing emails using the G2M platform and GSI was obliged under the PDPA to protect the personal data that was in its possession or under its control for the purposes of this engagement. Furthermore, MSIG had specifically instructed GSI to delete the email addresses after each marketing campaign and this is something that GSI is contractually bound to do. 8 Re MSIG Insurance (Singapore) and another 25. [2019] SGPDPC 43 Thirdly, GSI raised the following additional points as mitigating factors for the Commission’s consideration: (a) GSI had been fully cooperative during the Commission’s investigations; (b) There was no evidence of exfiltration, further disclosure or modification of the Compromised Data; (c) The Spam Emails sent to the Impacted Customers did not contain any personal data; (d) There was no evidence of actual loss or damage suffered by any of the Impacted Customers; (e) GSI has also sent an email notification to all Impacted Customers of the Spam Emails; (f) GSI has in place internal data protection policies prior to the Incident; and (g) GSI has since taken further steps to tighten and strengthen its data protection policies and mechanisms, including sending additional employees for further PDPA training, engaging external vendors to conduct advisory sessions and gap analysis, completing a surveillance audit and implementing various internal programs and workshops to promote data responsibility. 26. The matters in sub-paragraphs (a) to (d) above had already been taken into consideration in determining the financial penalty (see paragraph 32 below). With regards to (f), organisations are required under the PDPA to implement policies and practices necessary for them to meet their obligations under the PDPA, and mere compliance with the PDPA is not a mitigating factor. 27. GSI’s notification of the affected individuals is a relevant consideration and the further steps set out in (g) are relevant mitigating factors and the quantum of the final financial penalty set out below has been reduced. 28. Fourthly, GSI sought to compare the facts of this case with prior decisions such as Re Avant Logistic Service Pte Ltd [2019] SGPDPC 28, Re AIA Singapore Private Limited [2019] SGPDPC 20, Re InfoCorp Technologies Pte Ltd [2019] SGPDPC 17, Re Option Gift Pte Ltd [2019] SGPDPC 10 and Re AIG Asia Pacific Insurance Pte Ltd & Toppan Forms (S) Pte Ltd [2019] SGPDPC 2. It should be borne in mind, that none of these cited cases dealt with a similar scale of breach and cannot be relied upon to argue for a lower financial penalty. 9 Re MSIG Insurance (Singapore) and another 29. [2019] SGPDPC 43 GSI also made the following representations against the Commissioner’s determination that it had breached section 25 of the PDPA: (a) GSI sent an email to MSIG on 5 June 2017 confirming the deletion or purging of data from previous campaigns. This email read as follows: “Yes, we are in the midst of purging the most recent campaigns. The older ones have been purged.” The above email does not confirm that all completed campaigns have been purged, and only indicated that GSI was in the midst of doing so, and shows that some email addresses from recently concluded campaigns had not been removed from the system. This is, at best, evidence that GSI was trying to purge customer data after each campaign, but was not particularly prompt. (b) GSI asserted that MSIG was an active client and, hence, the G2M platform retained 149,172 email addresses of MSIG’s customers even after data from previous campaigns had been purged. However, this is contrary to the evidence which shows that MSIG had requested GSI to delete all email addresses after each email marketing campaign; and GSI’s representations that it was putting in effort to do so (albeit with some delays). In the final analysis, the representations in relation to the breach of section 25 of the PDPA did not warrant a review of the Commissioner’s findings. Outcome 30. After considering the facts of this case, the Commissioner hereby directs GSI to pay a financial penalty of $34,000 within 30 days from the date of the directions, failing which interest shall be payable on the outstanding amount of such financial penalty at such rate as specified in the Rules of Court. 31. In determining the amount of the financial penalty set out above, the Commissioner recognised that not all of the 359,364 email addresses targeted by the Spam Emails in the Incident constituted personal data and it was not possible for the Commission to determine the exact number of email addresses which did constitute personal data. Nevertheless, taking into account the GSI lapses and the other facts of the case detailed 10 Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 above, the Commissioner considered that a financial penalty of $34,000 would be appropriate. 32. In coming to this decision, the Commissioner also had regard to the following mitigating factors: (a) GSI was cooperative in the course of the Commission’s investigation and had provided prompt responses to the Commission’s requests for information; (b) GSI implemented the remedial actions set out paragraphs 10 to 12 above to address the Incident quickly, including notifying the affected individuals; and (c) 33. There was no harm caused by the disclosure of the Compromised Personal Data. The Commissioner was of the view that no further directions are required given the remedial actions already taken by MSIG and GSI. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Financial Penalty,4c9d4905f641206cd304485dcb39659ee42e32db,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"