_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,106,106,1,952,"Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1903-B3531 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Henry Park Primary School Parents’ Association SUMMARY OF THE DECISION 1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered society whose membership comprised parent volunteers. To register as members of the Organisation, individuals provided to the Organisation their names, contact numbers, name of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The Organisation had a website at https://hppa.org.sg (the “Website”) where members could view their own account particulars upon logging in using their assigned user ID and password. 2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”) received a complaint. The complainant informed that when she performed a Google search using her name, she found a search result of a webpage of the Website which disclosed her personal data (the “Incident”). 3. The Personal Data Sets of registered members were never intended to be disclosed online. The Website had been developed by a parent volunteer using the WordPress content management system. 4. The Organisation had conducted tests to verify that members who logged in to the Website could view their own account particulars. The Organisation also verified that account particulars could not be viewed when accessing the Website as a public user. Nevertheless, the Personal Data Set was crawled, indexed and searchable by Google. This points to a weakness in access control that had not been picked up by these rudimentary tests. 5. Security testing such as vulnerability scans would have identified the access control issue. The Organisation failed to conduct adequate security testing before launching the Website. On the above facts, the Commission found that the Organisation did not put in place reasonable security arrangements to protect the Personal Data Sets. 6. The Commission also found that the Organisation had not appointed a person to be responsible for ensuring its compliance with the Personal Data Protection Act 2012 (the “PDPA”). Further, the Organisation had not developed and implemented any policies and practices necessary for it to meet its obligations under the PDPA. 7. The Organisation had taken the Website offline after the Incident on 15 March 2019. On 14 November 2019, the Organisation had put online a new website that no longer allowed online access to the database of the Organisation’s members. The new website also included a data protection notice. 8. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of sections 11(3), 12 and 24 of the PDPA. In determining the directions, the Deputy Commissioner took into consideration that the Organisation was a volunteer organisation made up primarily of parents. The Organisation is directed to, within 60 days, (i) appoint one or more individuals to be responsible for ensuring that it complies with the PDPA, (ii) develop and implement internal data protection and training policies, and (iii) to put all volunteers handling personal data through data protection training. ",Directions,79c294efa7335db9a6489bfae8e1c1eedccbf23b,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,107,107,1,952,A warning was issued to AXA Insurance for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its policyholders. The personal data of 87 individuals was sent in an email to an unintended recipient.,"[""Protection"", ""Warning""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---AXA-SG.pdf,Protection,Breach of the Protection Obligation by AXA Insurance,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-axa-insurance,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4201 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And AXA Insurance Pte. Ltd. SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received a complaint on 4 July 2019 against AXA Insurance Pte. Ltd. (the “Organisation”). The complaint was about an email (the “Email”) sent with a scanned document (the “Attachment”) containing personal data of 87 other policyholders (the “Affected Individuals”) to the Complainant on 28 June 2019. (the “Incident”). 2. The Attachment was an internal email correspondence of the Organisation that contained the names, NRIC numbers, insurance policy numbers and the details of the servicing agents of the Affected Individuals (the “Personal Data”). The Attachment was not meant for the Complainant. 3. The Organisation admitted that during scanning of documents by its employees, it did not have a process to segregate documents intended for internal record purposes from documents for customers. 4. The Organisation’s customer care specialist who retrieved the scanned document which formed the Attachment also failed to check the Attachment before sending out the Email. 5. The Commission found that these lapses in processes resulted in the Incident. The lapses pointed to a failure by the Organisation to make reasonable security arrangements to protect the personal data of its policyholders from inadvertent disclosure by its employees. The Organisation was therefore found in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. The Commission has decided to issue a warning to the Organisation after considering the admission of liability by the Organisation, the impact of the breach and the corrective measures taken. ",Warning,71d45bf5b66f5336bd2c59fa788260822e8e796d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,108,108,1,952,A warning was issued to NTUC Income for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data to users making enquiries through its website. 123 users received automated acknowledgement emails attached with files containing personal data belonging to 17 individuals.,"[""Protection"", ""Warning""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NTUC-Income-Insurance-Co-Operative-Limited--24012020.pdf,Protection,Breach of the Protection Obligation by NTUC Income,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-ntuc-income,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4288 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And NTUC Income Insurance Co-Operative Limited SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) was notified on 17 July 2019 by NTUC Income Insurance Co-Operative Limited’s (the “Organisation”) of the unintended disclosure of personal data to users making enquiries through its website. The users received automated acknowledgement emails attached with files containing personal data of other individuals (the “Incident”). 2. On 10 July 2019, the Organisation enhanced the website’s online enquiry application to allow users to upload supporting documents together with their enquiry submissions. When a user A uploaded files, the application assigned a variable that served to identify the files for future retrieval by the same user or by the Organisation. However, due to a coding error, if the next user B did not upload files, the variable generated for the preceding user was applied to the B’s submission. As a result, the supporting documents uploaded by A were associated with B’s submission. 3. This coding error manifested in the sending of acknowledgement emails, which were intended to include supporting documents submitted by the user. When acknowledgement emails were generated for a user who did not upload files, the coding error caused the files uploaded by a preceding user to be attached. There were 17 users whose uploaded files were sent to 123 other users in this way. The files contained their personal data, such as names, policy numbers, premium amounts, sum assured and period of coverage, email and mailing addresses. 4. The Organisation admitted that the Incident was caused by poor quality codes. The Commission found that such errors should have been detected during the manual code review process that the Organisation had conducted. Further, before the enhancement went “live”, the Organisation’s tests did not simulate the various scenarios expected whereby some users would upload files while others did not. 5. The Organisation has since sought to improve checks on coding quality by replacing its manual code review process with tools such as Crucible and SonarQube. It also moved to ensure that test scenarios were adequate and that test plans and reviews were in place before changes in its IT applications and systems were allowed to be deployed. 6. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. No directions are required as the Organisation has implemented corrective measures that addressed the gap in its security arrangements. ",Warning,50f8e6a44f01ed62a2f3b441bf9c89a658c16419,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,109,109,1,952,"A financial penalty of $16,000 was imposed on Royal Caribbean Cruises (Asia) for failing to put in place reasonable security arrangements to protect the personal data of its customers. The personal data was subjected to a ransomware attack.","[""Protection"", ""Financial Penalty""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Royal-Caribbean-04022020.pdf,Protection,Breach of the Protection Obligation by Royal Caribbean Cruises (Asia),https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-royal-caribbean-cruises-(asia),2020-02-11,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 5 Case Nos.: DP-1904-B3721 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Royal Caribbean Cruises (Asia) Pte. Ltd. … Organisation DECISION 1 Royal Caribbean Cruises (Asia) Pte. Ltd. [2020] SGPDPC 5 Tan Kiat How, Commissioner — Case No. DP-1904-B3721 4 February 2020 Introduction 1 On 14 April 2019, Royal Caribbean Cruises (Asia) Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the systems of one of the Organisation’s vendors (the “IT Vendor”) had been subject to a cyber-attack, resulting in the personal data of some of the Organisation’s customers being exposed to unauthorised access (the “Incident”). Facts of the Case 2 In early 2017, the Organisation engaged the IT Vendor to develop and supply the Organisation with an electronic receipt system to generate and store electronic receipts with respect to payments made by the Organisation’s customers for cruise and holiday bookings (the “Receipt System”). The initial plan was for the Receipt System to be hosted on the Organisation’s internal server. However, after taking into consideration that the Receipt System would need to be accessed from external Internet Protocol (“IP”) addresses during events and roadshows, the Organisation asked the IT Vendor to host the Receipt System on an Amazon Web Services (“AWS”) server. The Receipt System was installed on an AWS Server in December 2017 and the Organisation started using the Receipt System at the end of January 2018. 3 On 11 April 2019, the Organisation encountered difficulties operating the Receipt System and reported the issue to the IT Vendor. On 12 April 2019, the IT Vendor informed the Organisation that the Receipt System had been subject to a cyber-attack. The cyber-attacker had deleted the database in the Receipt System, and replaced it with a ransom message demanding payment of 0.08 Bitcoins in order to recover the deleted data. 2 4 The following types of personal data belonging to 6,004 of the Organisation’s customers (“Affected Customers”) were affected by the Incident (collectively, “Customer Data”): (a) Receipt Date and Number; (b) Sailing Date; (c) Name of Guest / Card Holder; (d) Ship Name; (e) Booking ID; (f) Amount Paid; (g) Payment Type; (h) The first four and last four digits of credit / debit card number for payments made using credit / debit cards; (i) Issuing bank and the 6 digit cheque numbers for payments made using cheques; and (j) 5 Voucher redemption numbers for payment made using vouchers. In addition, 440 of the 6,004 Affected Customers had completed an online check-in process that required them to provide additional personal data. These 440 Affected Customers had the following types of additional personal data placed at risk of unauthorised access (collectively, “Additional Customer Data”): (a) Name; (b) Nationality; (c) Marital status; (d) Date of birth; (e) Residential address; 3 (f) Mobile number; (g) Email address; (h) Emergency contact information; (i) Last 4 characters of the passport numbers; (j) Passport expiry date; and (k) Customer credit card details including the cardholder's name, credit card issuer, last 4 digits, and expiry date. 6 There were 25 employees of the Organisation whose personal data was also affected by the Incident (collectively, “Employee Data”): 7 (a) Name; (b) Receipt System Username; (c) Receipt System User role; (d) Receipt System Password; (e) Email Address; (f) Mobile number; and (g) Location (i.e., office or roadshow). Upon discovery of the Incident, the Organisation took the following remedial actions: (a) On 12 April 2019, the Receipt System’s phpMyAdmin1 web application name was changed to obscure access. IP address restrictions were also added for access to the Receipt System; 1 phpMyAdmin is an open source administration tool for MySQL and MariaDB data over the world wide web. 4 (b) On 16 April 2019, the Organisation engaged a cybersecurity consultant to conduct technical forensic investigations and identify vulnerabilities in the Receipt System; (c) On 17 April 2019, the Organisation took the Receipt System offline permanently. The Organisation also blocked its online check-in portal to prevent information from the Receipt System from being used to access Additional Customer Data of the 440 Affected Customers; and (d) On 1 May 2019, the Organisation notified the 440 Affected Customers of the Incident, on the basis that the Additional Customer Data that may have been accessed through the online check-in portal was likely to be sensitive and/or could materially impact them. Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 8 Section 24 of the Personal Data Protection Act 2012 (“PDPA”) requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 9 As a preliminary point, the Organisation owned the Receipt System and had possession and control over the Customer Data, Additional Customer Data and Employee Data at all material times. While the IT Vendor was engaged to develop the Receipt System, the Commission’s investigations revealed that the IT Vendor had not processed, nor were they engaged to process, the Customer Data, Additional Customer Data and Employee Data on the Organisation’s behalf. The IT Vendor was accordingly not a data intermediary and the Organisation was solely responsible for the protection of the Customer Data, Additional Customer Data and Employee Data. 10 The Receipt System had vulnerabilities and gaps that the cyber-attacker could easily have exploited, resulting in the Incident: 5 (a) The administrative credentials (i.e., administrator username and password) to log into the Receipt System were stored in files within the same server with no access controls and were therefore publicly accessible; and (b) The version of the phpMyAdmin tool in use with the Receipt System at the material time was not patched and contained known security vulnerabilities.2 11 In relation to (a), given that the administrative credentials would allow and enable access to Customer Data, Additional Customer Data and Employee Data of a significant number of individuals stored in the Receipt System, it clearly should not have been stored in files without access controls, especially so when the files were in the same server. In relation to (b), and as mentioned in previous decisions,3 regular security testing and patching as security measures is absolutely crucial. Patching is one of the common tasks that all system owners are required to perform in order to keep their security measures current against external threats. The Organisation clearly did not have any process in place to ensure regular patching in the present case. 12 According to the Organisation, it was the IT Vendor’s responsibility to put in place the appropriate security measures for the Receipt System. In contrast, the IT Vendor asserted that it was the Organisation’s network security team that was in charge of security. The Commission’s investigations revealed that the Organisation had not in fact engaged the IT Vendor to provide services in relation to security maintenance or patching of the Receipt System. As the data controller and customer, the Organisation ought to be clear about the scope of services that it is procuring from the IT Vendor, and document the scope properly in contract or other project documentation. In this case, the Organisation was not able to produce anything in writing to corroborate its assertions. The absence of documentation, on the contrary, buttresses the IT Vendor’s assertion that it was not engaged to provide services in relation to security measures for the Receipt System. Without clarity, the risks of any omissions will fall on the Organisation, which as data controller is ultimately responsible. In the circumstances, the Commissioner finds that it was the Organisation and not the IT Vendor that had the obligation to ensure that the Receipt System had up-to-date security maintenance and patching. 2 The security vulnerabilities were listed in Common Vulnerabilities and Exposures, which is a list of publicly disclosed information security vulnerabilities and exposures. 3 See for example Re The Cellar Door Pte Ltd and Global Interactive Works Pte Ltd [2016] SGPDPC 22 at [26]; Re Singapore Health Services Pte. Ltd. & others [2019] SGPDPC 3 at [124]; Re Tutor City [2019] SGPDPC 5 at [23]; Re Genki Sushi [2019] SGPDPC 26 at [20]-[21]. 6 13 The Organisation’s failure to implement security measures, including software patches to ensure that vulnerabilities the Receipt System were properly patched, resulted in a standard of protection that fell far short of what was required for the Receipt System. As such, the Organisation failed to put in place reasonable security arrangements to protect the Customer Data, Additional Customer Data and Employee Data. Accordingly, the Commissioner finds the Organisation in breach of section 24 of the PDPA. The Commissioner’s Directions 14 In determining the directions, if any, to be imposed on the Organisation under section 29 of the PDPA, the Commissioner took into account the following mitigating factors: 15 (a) The Organisation cooperated with the Commission in its investigations; and (b) The Organisation took prompt remedial actions in respect of the Incident. Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to pay a financial penalty of $16,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts, shall accrue and be payable on the outstanding amount of such financial penalty until it is paid in full. The Commissioner has not set out any further directions given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 7 ",Financial Penalty,9e050b9f6c3568f6a2dff1cb150947fe99ed4f03,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,110,110,1,952,"A financial penalty of $26,000 was imposed on SPH Magazines for failing to put in place reasonable security arrangements to prevent the unauthorised access of personal data of members of HardwareZone forum site.","[""Protection"", ""Financial Penalty""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SPH-Magazines-Pte-Ltd.pdf,Protection,Breach of the Protection Obligation by SPH Magazines,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-sph-magazines,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 3 Case No DP-1802-B1731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SPH Magazines Pte Ltd … Organisation DECISION 1 SPH Magazines Pte Ltd [2020] SGPDPC 3 Tan Kiat How, Commissioner — Case No DP-1802-B1731 31 January 2020 Facts of the Case 1 On 20 February 2018, SPH Magazines Pte Ltd (the “Organisation”) voluntarily notified the Personal Data Protection Commission (the “Commission”) that the account of a senior moderator of its HardwareZone forum site (the “Forum”) had been accessed by an unknown hacker who used the senior moderator’s credentials to retrieve personal data of members of the Forum. The Organisation subsequently discovered through its consultants who were engaged to assist in its investigations into the incident that the senior moderator’s email address and password had been published on a credential leak database on 5 December 2017. The Organisation believed that the hacker had obtained the senior moderator’s credentials from this source or other similar databases as its investigations showed that its systems and applications had not been compromised during the incident. 2 The Organisation operates, hosts and maintains the Forum, an online Internet portal for members to engage in discussions on technology and other matters. Members are required to provide their usernames, email addresses, full names and passwords during registration and this personal data would form part of a member’s user profile. Members also have the option of including the following personal data in their user profile: (a) Year of Birth (b) Gender (c) Country (d) Education (e) Job Scope (f) Role in IT Procurement 2 3 (g) Occupation (h) Industry (i) Company Size (j) Monthly Income (range) (k) Area of interest (l) Home Page URL (m) Use of MSN, Yahoo, ICQ, AIM, Skype Senior moderators of the Forum are volunteers selected by the Organisation from amongst the members of the Forum and appointed to review and moderate the discussion threads in the Forum and to ensure that any postings comply with applicable laws and the Forum’s Terms of Service. Senior moderators are also responsible for issuing warnings and other sanctions (such as suspensions or bans) to members who do not comply with the Forum’s Terms of Service. Access to members’ user profiles was given to senior moderators (through their respective senior moderator accounts) to allow them to carry out their duties. The senior moderators would be able to view the Forum members’ usernames, email addresses and any optional information included by the members in their user profiles. While the full names and passwords of the members were salted and hashed using the MD5 algorithm, and ordinarily senior moderators would not be able to view these fields, it is well-known that the MD5 algorithm is outdated and could be circumvented: see Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3 at [19] and [20]. 4 The Organisation first realised that something was amiss when it was notified of an unauthorised post published using the account of a website administrator. The website administrator is employed by the Organisation. Using the administrator’s credentials, the hacker published the unauthorised post and changed the avatar of the administrator account. However, as the Forum administrators could only access the user profiles of members by way of a two-factor authorisation (“2FA”) process, the hacker was unable to access the user profiles using the administrator account. 3 5 The Organisation also subsequently discovered the website administrator’s credentials in the same credential leak database which published the senior moderator’s credentials. 6 It thus appears that the hacker used the compromised senior moderator account to access the user profiles of members. At the material time, there were a total of 685,393 user profiles in the Organisation’s system. The Organisation’s investigations further showed that the senior moderator’s account was used to perform 704,764 attempted views of Members’ user profiles using networks that did not reveal the actual source IP address, between 22 September 2017 to 30 September 2017. The frequent number of attempted views and the use of networks which are difficult to trace suggest that the senior moderator’s account was used to access personal data of Members without authorisation. The investigations also showed that the senior moderator’s account experienced unusual activity from at least December 2015. 7 Upon being notified of the Incident, the Organisation took the following remedial actions: (a) The access rights of senior moderator accounts to user profiles was temporarily suspended on 19 February 2018; (b) The Organisation sent emails to members informing them of the breach and advising members to change their passwords. The Organisation also posted a notification of the breach on the Forum website. (c) The Organisation revised its Password policy on 23 February 2018 requiring passwords to have a minimum of 8 characters and include both alphanumeric and upper/lower case characters. Passwords will also expire within 3 months; (d) 2FA was implemented for senior moderator accounts in April 2018; (e) Captcha for the Site’s login page was implemented; (f) Entries in the filed for full names was removed from the application level and purged from the database; and (g) Additional information in optional fields were also removed from the application level and purged from the database. 4 Findings and Basis for Determination 8 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 9 The key finding in this case was that the Organisation had omitted to implement reasonable password security requirements for its senior moderators. While the Organisation did have in place a Password Policy which, amongst other things, required passwords to be of a certain length and complexity and provided for the expiration of passwords, the Policy and the security measures therein were applicable to the Organisation’s employees and did not apply to senior moderators. In fact, there was no requirement for senior moderators to change their passwords regularly or to have passwords of an acceptable length and complexity. 10 During the investigations it was discovered that the password used by the relevant senior moderator was not changed in 10 years and did not meet the length and complexity standard the Organisation implemented for its employees. In this regard, the permissions and privileges granted to senior moderators allowed senior moderators to set password expiry rules and to set prohibitions for the re-use of passwords within a selected period (i.e. password history setting) but did not compel them to do so. 11 Finally, the Organisation did not perform any security testing of the Forum website. It therefore did not have an overall picture of its security needs in relation to the website. 12 The failure to implement and enforce reasonable password security requirements on the senior moderator accounts and to conduct security testing to acquire knowledge of the Forum website’s security amounted to a breach of section 24 of the PDPA by the Organisation. The Commissioner’s Directions 13 In determining the directions to be imposed on the Organisation under section 29 of the PDPA, the following factors were taken into account: 5 Mitigating factors (a) the Organisation voluntarily notified the Commission of the Incident and members of the Forum promptly; (b) the Organisation took prompt action to implement measures to prevent a recurrence of such an incident; (c) the Organisation cooperated with the Commission’s investigations; Aggravating factors (d) The password which was compromised had not been changed for a very long period of 10 years; and (e) The Organisation was unable to detect the unauthorised access of personal data for about 2 years. 14 Having carefully considered all the relevant factors of this case, the Commissioner directs the Organisation to pay a financial penalty of $26,000 within 30 days of the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. No additional directions are required in light of the remedial measures taken by the Organisation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 6 ",Financial Penalty,0ccae1ff28f90d66c28dd2491e593155803069f2,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,111,111,1,952,"A financial penalty of $15,000 was imposed on SCAL Academy for failing to put in place reasonable security arrangements to protect the personal data of individuals on its website. These individuals had provided their personal data to SCAL Academy for registration purposes to attend its courses, seminars or workshops.","[""Protection"", ""Financial Penalty""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SCAL-Academy---080120.pdf,Protection,Breach of the Protection Obligation by SCAL Academy,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-scal-academy,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 2 Case No. DP-1811-B3061 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SCAL Academy Pte. Ltd. … Organisation DECISION SCAL Academy Pte. Ltd. [2020] SGPDPC 2 Tan Kiat How, Commissioner — Case No. DP-1811-B3061 8 January 2020 Introduction 1 SCAL Academy Pte. Ltd. (the “Organisation”) provides courses, seminars and workshops for individuals (the “Participants”) and collects personal data of Participants through its website, http://www.scal-academy.com.sg (the “Website”), for registration purposes. The Website was developed and maintained by a freelance vendor (the “Vendor”). 2 On 29 November 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that the results of an online search of the names of Participants displayed links to scanned copies of registration documents (the “Documents”) on the Website (the “Incident”). The Documents were accessible by clicking on the listed links. 3 The Documents contained various personal data of 3,628 Participants including their name, race, nationality, date of birth, gender, country of birth, NRIC or work permit number, address, occupation and the name of the company the Participants were employed by (the “Compromised Personal Data”). 4 The cause of the Incident was traced to an enhancement to the Website (the “Enhancement”) which allowed Participants to upload the Documents directly onto a folder (the “Folder”) on the Website. The Vendor had been tasked with developing the Enhancement on 7 February 2018 and, in the course of doing so, the Vendor omitted to programme the Enhancement to verify that only authorised employees can access the Folder. The Documents were thus accessible without the need for login credentials. Additionally, the Vendor had also, through an oversight, omitted to implement another requirement, which is to implement Google’s recommendations to prevent bot crawlers from searching and indexing website content. 5 Following the Incident, the Organisation took the following remedial actions: (a) Implemented measures to prevent Google trawling and indexing, such as deploying ‘noindex’ tags and scripts to ignore search bots; (b) Requested Google to remove search engine records of the production environment and the links to the Documents; (c) Removed the Documents from the Website; (d) Disabled the upload function for Documents for online registration on the Website; and (e) Assessed the harm and impact of the Incident on the affected individuals and notified approximately 27 of them who the Organisation believed would likely suffer significant harm or impact. Findings and Basis for Determination Whether the Organisation had contravened section 24 of the Personal Data Protection Act 2012 (“PDPA”) 6 As a preliminary point, the Organisation owned and managed the Website, and had possession and control over the Compromised Personal Data at all material times. While the Vendor had been engaged to develop and maintain the Website and subsequently assisted in the development of the Enhancement, the Vendor had not processed any personal data collected via the Website on the Organisation’s behalf. The Vendor was therefore not a data intermediary of the Organisation, and the obligations under the PDPA did not apply to the Vendor in respect of its engagement by the Organisation. 7 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 8 In this regard, while the Organisation had instructed the Vendor to prevent the Documents from being ‘leaked’ online, it did not check with the Vendor what security arrangements had been put in place to ensure this. It is essential that, having identified a data protection risk, the Organisation and the Vendor agree on the measures to be implemented. These can then be followed through to the testing stage and scenarios can also be devised for user acceptance testing. Since this was not done, it therefore follows that the Organisation did not conduct any tests, or verify whether the Vendor had conducted any tests, to ensure that the security arrangements were effective in protecting the Documents from unauthorised disclosure. 9 As observed in WTS Automotive Services Pte Ltd [2018] SGPDPC 26 at [24], the responsibilities of an organisation over the personal data in its control and/or possession does not require technical expertise. The examples of actions that the Organisation ought to have undertaken as set out at paragraph 8 above do not require deep technical expertise. Instead, it requires that organisations articulate their business requirements, work with their vendors on a set of agreed technical measures, and to follow through with proper testing based on risk scenarios derived from the business requirements. 10 In view of the above, the Commissioner found that the Organisation had not put in place reasonable security arrangements to protect the personal data in the Documents and, accordingly, was in breach of section 24 of the PDPA. The Organisation’s Representations 11 In the course of settling this Decision, the Organisation submitted its representations to the Commission on various aspects of the preliminary Decision. The representations, in part, covered matters which have already been addressed in this Decision or which were not relevant to this Decision. The relevant matters raised in the representations which are not addressed elsewhere in this Decision were: (a) The Organisation warned the Vendor that the Incident was a breach of the PDPA; (b) While not justifying the data breach, the Organisation took the position that the Incident neither impacted nor caused significant harm to the affected individuals; (c) The Organisation has since taken steps to prevent a recurrence of a similar incident such as strengthening and improving communication with suppliers and vendors especially where personal data is concerned and educating members on compliance with the PDPA; and (d) The Organisation counselled the Vendor and obtained an undertaking requiring the Vendor to implement additional safeguards, such as, disabling all UAT websites from being searchable by search engines, educating staff members on the PDPA and communicating and collaborating with the Organisation to ensure that work done complies with the PDPA. 12 With respect to the matter raised at [11(a)], as stated at [6], the Vendor was not a data intermediary for the purpose of its engagement by the Organisation. Nevertheless, informing the Vendor of the Incident and that the PDPA had been breached is a legitimate remedial action. This has already been taken into consideration in determining the directions to be issued to the Organisation, as set out below at [15(b)]. 13 With respect to [11(b)], this should be seen in light of the Organisation having, as part of its remedial efforts, notified affected individuals who it believed would likely suffer significant harm or impact. Looking at the Organisation’s assertions, it is the Organisation’s own view that 27 individuals were likely to have suffered significant harm or impact and mitigated this harm or impact by notifying these individuals. Again, this remedial action had already been taken into consideration when determining the appropriate directions to be issued. 14 With respect to the additional matters raised and as set out at [11(c) and (d)], the Commissioner accepts these points and the financial penalty imposed has been reduced to the amount stated below. The Commissioner’s Directions 15 In determining the directions to be imposed on the Organisation under section 29 of the PDPA, the Commissioner took into account the following mitigating factors: (a) The Organisation was cooperative in the investigations and provided information promptly; and (b) Upon being notified of the Incident, the Organisation swiftly took remedial actions. 16 Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to pay a financial penalty of $15,000 within 30 days from the date of the directions, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 17 In light of the remedial actions taken by the Organisation, the Commissioner has decided not to issue any further directions. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION ",Financial Penalty,8f0ad290a860ac8ce3ca4cbe3b5a690b72561ff9,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,112,112,1,952,"A financial penalty of $9,000 was imposed on Singtel for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of some of its customers via its My Singtel mobile application.","[""Protection"", ""Financial Penalty"", ""Accommodation and F&B""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunications-Limited-311219.pdf,Protection,Breach of the Protection Obligation by Singtel,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-obligation-by-singtel,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 49 Case No. DP-1802-B1732 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited … Organisation DECISION 1 Singapore Telecommunications Limited Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1732 31 December 2019 Introduction 1 On 21 February 2018, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual mobile subscriber of Singapore Telecommunications Limited (the “Organisation”) asserting that when the subscriber accessed account details using the Organistion’s “MySingTel” mobile application (the “App”), the subscriber was able to view the personal information of another subscriber. Facts of the Case 2 The Commission’s investigations revealed that due to a technical issue that occurred during a limited period, certain mobile subscribers of the Organisation were able to view the personal data of other subscribers when they used the App (the “Incident”). The Incident took place over a period of approximately 11 hours on 20 February 2018 and the personal data of 750 subscribers (the “Affected Subscribers”) were exposed to the risk of access by other subscribers. Of these, the personal data of 39 subscribers were, in fact, accessed by other subscribers. The specific cause of this incident is described below. 3 The Incident arose during the Organisation’s migration of its database of mobile customer accounts from its existing billing system (the “Existing System”) to a new billing system (the “New System”). [Redacted]. 4 However, an issue arose when there was a mobile number previously assigned to a subscriber (“historical numbers”) that was subsequently reassigned to another subscriber. One situation in which this happened was when a subscriber ported over an existing mobile number from another mobile telephone operator to the Organisation. In order to effect the porting over, the Organisation would first issue the subscriber with a temporary mobile phone number (this is referred to as a “dummy number”) as part of the overall porting mechanism. After the subscriber’s existing mobile telephone number had been successfully ported over to the Organisation, the dummy number will cease to be linked to the subscriber [redacted]. 2 5 [Redacted]. 6 During the migration period, when a subscriber logged in to the App, the App would query the Organisation’s Master Routing Database (“MRD”) to check if the subscriber’s data had been migrated and then route the query to the relevant billing system. On 20 February 2018, due to slow response times, queries by MRD to the Existing System encountered timeouts. When these timeouts occurred, even if the subscriber had been migrated to the New System, the query would by default be routed to the Existing System. If the subscriber had a historical number, such as a dummy number [redacted], [in certain circumstances] the service information associated with both the current mobile number and the historical number would be retrieved and made available to the subscriber. The service information of the historical number could be viewed by clicking on the mobile number and information bar. If the historical number had been reassigned to an Affected Subscriber, the service information of the Affected Subscriber would have been retrieved and made available to, and therefore at risk of access by, the subscriber. In this way, the associated information of the 39 subscribers were accessed during the timeouts. 7 The types of personal information of the Affected Subscribers (the “Personal Data”) which were accessible through the App included: (a) mobile numbers; (b) mobile plans subscribed to; (c) usage details; (d) account numbers; and (e) add-on services subscribed to. The relevant subscribers1 could also modify the add-on services tied to the Affected Subscribers’ mobile number; 6 such subscribers had tried to make such modifications. 8 Upon being notified by the Commission, the Organisation ensured that migrated Subscribers who encountered timeouts when using the App were shown an error message, and performed testing to verify that this was the case. 3 Findings and Basis for Determination 9 Section 24 of the Personal Data Protection Act 2012 (the “PDPA”) requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Whether the Organisation Complied with Section 24 10 With respect to the design of the MRD, the Organisation asserted that it did not intend for the MRD to route queries to the Existing System in the event of a timeout, and that the Organisation’s intentions was for an error message to be displayed instead. I give the Organisation the benefit of doubt and accept its assertion. Since the intention was to display an error message, this ought to have been included as a scenario for user testing. Consequently, this Incident was caused by the following lapses on the Organisation’s part: (a) The Organisation had not carried out more thoroughly scoped tests to firstly ensure that dummy numbers in these circumstances did not produce any unintended effects; and (b) the test plan should have anticipated likely scenarios, such as session time- out. 12 If these had been done, the Organisation could have discovered the potential erroneous retrieval and unauthorised disclosure of the Affected Subscribers’ Personal Data for such accounts, and consequently, implemented measures to prevent the Incident from occurring. In view of the above, I found the Organisation in breach of section 24 of the PDPA. 13 The Organisation in its representations made the point that, in their view, the data breach “happened only where there was an obscure combination of factors”. While, it is accepted that a combination of events had to occur before personal data would have been disclosed, I do not think that the combination of factors was obscure. First, session timeout for MRD queries was foreseen, with the intention for an error message to be displayed. 4 Second, the Organisation had full knowledge of how dummy numbers are assigned as a temporary bridge for number porting, and that these dummy numbers are eventually reassigned. The combination of factors giving rise to the Incident was foreseeable and I do not think that the combination is obscure. The impact of the Incident was contained because of its prompt action in implementing a temporary fix. The Deputy Commissioner’s Directions 14 In determining the directions to be imposed on the Organisation under section 29 of the PDPA, I took into account the following mitigating factors: (a) the Organisation was cooperative during the investigations; (b) the Organisation took prompt action to mitigate the impact of the Incident by implementing a temporary fix within 11 hours; and (c) although the Personal Data of 750 individuals were at risk, only 39 of such individuals’ Personal Data were subject to unauthorised disclosure. 15 Having carefully considered all the relevant factors of this case, I hereby direct the Organisation to pay a financial penalty of $9,000 within 30 days from the date of the directions, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 16 As the Organisation had completed its migration on 19 August 2018 and there are no further risks to the Personal Data arising from the retrieval of Subscriber information from the Organisation’s Existing System, I have assessed that the remedial actions set out at [8] had sufficiently addressed the risks to the Personal Data arising from the Incident. I have therefore not made further directions for the Organisation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 5 ",Financial Penalty,e2d462d64ec0e10bc672b4850fabd12bb0f0d993,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"