_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,95,95,1,952,"A financial penalty of $5,000 was imposed on Singapore Accountancy Commission for failing to put in place reasonable security arrangements to prevent the unauthorised access of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates’ personal data.","[""Protection"", ""Financial Penalty"", ""Professional"", ""Scientific and Technical"", ""Unintended recipient"", ""Email attachments""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Accountancy-Commission---22062020.pdf,Protection,Breach of the Protection Obligation by Singapore Accountancy Commission,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-singapore-accountancy-commission,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1911-B5296 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Accountancy Commission SUMMARY OF THE DECISION 1. On 18 November 2019, Singapore Accountancy Commission (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates was mistakenly enclosed in emails sent to 41 unintended recipients between 12 June 2019 and 22 October 2019. The folder comprised information such as names, National Registration Identification Card numbers, dates of birth, contact details, education and employment information and Singapore Chartered Accountant Qualification examination results. Following the incident, 41 unintended recipients confirmed deletion of the email and folder they each received. 2. The Organisation admitted to a lack of robust processes to protect personal data when sending emails. The staff involved in the sending of the emails were not informed of the Organisation’s personal data policies as part of their induction training. The Organisation’s data protection policies and procedures were not translated into security arrangements for protection of personal data. There were, for example, no second-tier or supervisory checks or technical measures to reduce the risk of sending content with personal data to unintended parties at the time of the incident. 3. Following the incident, the Organisation undertook remediation. This included training sessions on cybersecurity and personal data protection for all employees and revision of policies and procedures on handling of personal data. 4. In the circumstances, the Deputy Commissioner for Personal Data Protection found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 5. The Organisation had made an admission of breach of the Protection Obligation under the PDPA, cooperated with the Commission’s investigation and taken prompt remedial actions. 6. On account of the above, the Organisation is directed to pay a financial penalty of $5,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. In view of the remedial actions taken by the Organisation, the Commission will not issue any other directions. ",Financial Penalty,3a8e7894f9d69623906f336fc824af00e156f58e,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,96,96,1,952,A warning was issued to Zero1 and IP Tribe respectively for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of 118 individuals’ personal data contained in invoices which were sent to incorrect recipients.,"[""Protection"", ""Warning"", ""Information and Communications"", ""Unintended recipient"", ""Duplication of batch ID"", ""Inadequate scoping of testing""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Zero1-and-IP-Tribe---07042020.pdf,Protection,Breach of the Protection Obligation by Zero1 and IP Tribe,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-zero1-and-ip-tribe,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION Case Nos. DP-1903-B3630, DP-1908-B4431 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Zero1 Pte. Ltd. 2. IP Tribe Pte Ltd SUMMARY OF THE DECISION 1. On 22 March 2019, Zero1 Pte Ltd (the “Organisation”) voluntarily informed the Personal Data Protection Commission (the “Commission”) that invoices containing the personal data of their subscribers had been emailed to unintended recipients (the “Incident”). Each invoice contained the name, address, subscriber ID, mobile number, mobile charges, and the call details of any international calls made by a subscriber (the “Personal Data”). Each email contained a subscriber’s invoice which was unintendedly sent to another subscriber instead. 2. The Organisation was a licensed Mobile Virtual Network Operation that provided mobile services. It partnered Singtel Mobile Singapore Pte. Ltd. (“Singtel”), which appointed IP Tribe Pte Ltd (“IPT”) to develop and deploy a Mobile Virtual Network Enabler (the “1st Platform”) to manage subscriber accounts. 3. IPT ran the 1st Platform for the Organisation, including generating and sending monthly emails to subscribers. IPT then subcontracted the provision of the billing system within the 1st Platform to Openet Telecom Sales Limited (“Openet”). The 1st Platform was deployed in August 2018. 4. A replacement platform (the “New Platform”) was deployed in 2019. Openet subcontracted 6D Technologies (“6D”) to migrate subscriber data from the 1st Platform to the New Platform. In February 2019, 6D migrated the data of 12,000 to 15,000 subscribers. 5. The Incident was caused by Batch ID duplication. The Batch ID was a unique number that tagged each subscriber to his name and email address. The migration was staggered and some errors made it necessary to delete data migrated earlier. However, due to a coding error, not all previously migrated data had been deleted. The New Platform failed to recognise the Batch IDs that were not deleted and re-issued the same Batch IDs. As a result, 118 invoices belonging to subscribers with duplicated Batch IDs were affected. Since each Batch ID determined the email address to which an invoice was sent, Batch ID duplication resulted in the New Platform emailing the 118 invoices to the wrong addresses. 6. Before a new IT system or a change to an IT system goes live, pre-launch testing is important to determine that the system would run as expected. The Organisation, IPT and 6D jointly conducted pre-launch testing. The Organisation as the end user, and IPT as the Organisation’s data intermediary, should have scoped the pre-launch testing to include a simulation of expected scenarios. In particular, the scenario in which migration to the New Platform is staggered and a high volume of email addresses would have been assigned Batch IDs for the sending of emails to the right subscriber (“Migration Scenario”). 7. However, in the pre-launch testing, the Migration Scenario was not catered for. Only two test accounts were used to check that the New Platform could generate and email invoices to the right parties. This was insufficient to simulate expected usage. Consequently, the tests failed to surface this issue. 8. The proper scoping of pre-launching testing is important for the detection of functionality issues that may put personal data at risk. In failing to simulate the expected scenarios, in particular the Migration Scenario, the Organisation and IPT failed to meet the reasonable standard required to discharge the Protection Obligation. 9. Furthermore, the processes to ensure that the New Platform would issue unique Batch IDs were inadequate. A date/time stamp could have been included as part of each Batch ID to avoid duplication, which was implemented only after the Incident. 10. In deciding to find the Organisation and IPT respectively in breach of the Protection Obligation under the Personal Data Protection Act 2012 (the “PDPA”) and to issue a Warning to each party, the Deputy Commissioner for Personal Data Protection took into account the following: a. Although the Organisation neither owned nor operated the New Platform, it remained a data controller in control of its subscribers’ Personal Data. b. IPT was the Organisation’s data intermediary in developing the New Platform, which included migration of the personal data of subscribers. IPT relied on Openet as its subcontractor, and the Batch ID duplication occurred as a result of errors during the migration that was performed by 6D. Notwithstanding the representations made by IPT, it retained a key role, together with the Organisation, in scoping the pre-launch testing of the New Platform. c. The tests proved to be inadequate and a reasonable opportunity to prevent the Incident was missed. For this, both the Organisation and IPT bore responsibility. 11. No directions are required as the Organisation and IPT had taken remedial actions to address the gaps in security arrangements respectively. ",Warning,9289b77ccf9c91c7e895f86b99071f8723ce5faf,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,97,97,1,952,A warning was issued to Actstitude for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of individuals' personal data. Over 160 individuals uploaded their resumes to Actstitude's website and their personal data were accessible over the Internet.,"[""Protection"", ""Warning"", ""Information and Communications"", ""URL manipulation"", ""Vulnerability"", ""Access control"", ""Security""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Actstitude-Pte-Ltd---20032020.pdf,Protection,Breach of the Protection Obligation by Actstitude,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-actstitude,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1910-B5129 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Actstitude Pte Ltd SUMMARY OF THE DECISION 1. Actstitude Pte Ltd (the “Organisation”) is a social media platform marketing agency. It has a webpage allowing individuals interested in joining the Organisation to upload their resumes. For each resume uploaded, a file was created with a Uniform Resource Locator (“URL”) and stored in a database. Between August 2018 to October 2019, over 160 individuals uploaded their resumes. 2. The Organisation, however, admitted that it did not put in place controls to restrict access to the resume files. The URLs generated by the Organisation could also be manipulated to access resume files uploaded by different individuals. 3. When the webpage was created on 5 July 2018, the Organisation did not conduct vulnerability scanning as part of pre-launch testing; neither did the Organisation conduct periodic security reviews. Such scans offer a reasonable chance of detecting both the lack of access controls and the vulnerability of the URLs to manipulation. 4. The result of this failure to put in place access controls or to conduct security testing was that Google indexed and disclosed the URLs when a search was made of the names in the uploaded resumes. The URLs could then be manipulated to access the resumes of other individuals. This led to a complaint to the Personal Data Protection Commission on 25 October 2019. 5. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised disclosure. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. Upon consideration of the facts, a warning was issued to the Organisation. No directions are required as the Organisation had taken action to address the gaps in its security arrangements. ",Warning,f67b98aac5af051e0230fe4d74d422bae5c57230,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,98,98,1,952,"A warning was issued to Jean Yip Salon for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its employees. As a result, the personal data of 28 individuals were accessible over the Internet.","[""Protection"", ""Warning"", ""Wholesale and Retail Trade"", ""Password"", ""Public access""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Jean-Yip-Salon-Pte-Ltd--13032020.pdf,Protection,Breach of the Protection Obligation by Jean Yip Salon,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by--jean-yip-salon,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4281 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Jean Yip Salon Pte Ltd SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received a complaint on 16 July 2019 about an employee system (the “System”) maintained by Jean Yip Salon Pte Ltd (the “Organisation”) that was publicly accessible via the internet. The personal data of 28 individuals disclosed via the System included their name, NRIC number, residence status, date of birth, nationality, gender, mobile number and job designation. 2. The Commission found that the Organisation did not adopt reasonable measures to protect personal data in its possession against risk of unauthorised access. First, the Organisation opened public access to a server without ascertaining what it hosted. As a result, while enabling public access to the Customer Online Appointment Booking System, it inadvertently also allowed access to the System (meant only for internal use), which was also hosted on the same server. Second, there were no processes in place to remove or deactivate unnecessary user accounts of the System. Finally, the Organisation did not enforce a password policy for the user accounts of the System. As such, the complainant was able to gain access to the System by simply using a wellknown and weak default username and password pair. 3. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and issued a warning to the Organisation. No directions were required as the Organisation had implemented corrective measures that addressed the gaps in its security arrangements. ",Warning,ebdd2c957a9673f4bcab7ed28d18a885209a8e04,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,99,99,1,952,A warning was issued to FWD Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of 71 individuals’ personal data contained in payment advice letters which were sent to incorrect recipients.,"[""Protection"", ""Warning"", ""Finance and Insurance"", ""Letters"", ""Logic error"", ""Code review""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/FWD-Singapore-Pte-Ltd---Summary-of-Decision---13032020.pdf,Protection,Breach of the Protection Obligation by FWD Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-fwd-singapore,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4352 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And FWD Singapore Pte Ltd SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) was notified on 26 July 2019 by FWD Singapore Pte Ltd (the “Organisation”) of the unintended disclosure of 71 individuals’ (the “Affected Individuals”) personal data contained in 42 payment advice letters sent to incorrect recipients between 20 June 2019 and 17 July 2019 (the “Incident”). 2. The Incident arose from the Organisation’s attempt to fix a logic error in the system that it used to generate payment advice letters. The error was introduced when a fix for an earlier logic error was deployed. The Commission found that the second logic error could have been detected if manual code review and unit testing had been conducted to a reasonable standard. 3. The second logic error caused the extraction of incorrect mailing addresses for payment advice letters in some circumstances. This resulted in the Affected Individuals’ names and identification numbers in payment advice letters being sent to incorrect addresses. The Organisation should have taken care in conducting its manual code review and unit testing to avoid another logic error. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of its Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 4. The Deputy Commissioner took into account the following factors in deciding to issue a warning to the Organisation: a. The Organisation had managed to retrieve letters containing the personal data of 67 out of the 71 Affected Individuals. b. The Organisation voluntarily notified the Commission of the Incident. c. The second logic error resulted in the extraction of incorrect mailing addresses only in limited circumstances. 5. No directions are required as the Organisation took steps to improve its development processes to prevent the recurrence of the Incident. ",Warning,bb248e5764c08e64f81212ce9f5a5c65012fd88c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,100,100,1,952,"A financial penalty of $32,000 was imposed on CDP for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. Mail sent by CDP were addressed to incorrect recipients.","[""Protection"", ""Financial Penalty"", ""Finance and Insurance"", ""Mail"", ""Unintended recipient""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---The-Central-Depository-(Pte)-Limited-30032020.pdf,Protection,Breach of the Protection Obligation by CDP,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-cdp,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 12 Case No DP-1905-B3847 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Central Depository (Pte) Limited … Organisation DECISION 1 The Central Depository (Pte) Limited [2020] SGPDPC 12 Tan Kiat How, Commissioner — Case No DP-1905-B3847 30 March 2020 Introduction 1 The Central Depository (Pte) Limited (the “Organisation”) provides integrated clearing, settlement and depository facilities for its account holders (“CDP Account Holders”) in the Singapore securities market. On 3 May 2019, the Organisation notified the Personal Data Protection Commission (the “Commission”) that dividend cheques of some CDP Account Holders had been mailed to outdated addresses, resulting in the disclosure of their personal data to other individuals. Facts of the Case 2 Prior to 10 December 2018, the Organisation used a software known as the Post Trade System (“PTS”) for the purposes of post trade processing. The Organisation developed and customised additional modules that interfaced with PTS, including a module for the printing of dividend cheques (“Dividend Cheque Module”). The Dividend Cheque Module was used to automate the generation of dividend cheque mailers (i.e. mailers enclosing dividend cheques to be posted to CDP Account Holders). 3 Subsequently, the Organisation purchased another software, the New Post Trade System (“NPTS”) to replace the PTS. In comparison to the PTS, the NPTS facilitated record keeping that was more comprehensive. The PTS only recorded a CDP Account Holder’s latest address, while the NPTS kept records of the CDP Account Holder’s updated address as well as historical addresses.1 Arising from the new feature of the NPTS that kept records of CDP Account Holders’ updated addresses and historical addresses, the Organisation updated the programming logic of the Dividend Cheque Module (and all other modules that required retrieving of addresses) to extract the CDP Account Holders’ updated addresses. 1 As there was only one address for each CDP Account Holder stored in the PTS, a query for the address would always extract that address of the CDP Account Holder. 2 4 Prior to migration from PTS to NPTS, the Organisation conducted several tests, which included the following: (a) A test for the change of address for the module that generated notification letters acknowledging a change of address. This included checking that the notification letters extracted the updated address (the “Notification Letters Test”); (b) A test for the extraction of CDP Account Holders’ personal data for the Dividend Cheque Module. The scope of this test did not include the scenario of change of address (i.e. whether the Dividend Cheque Module would extract the updated address in the event a CDP Account Holder changed its address) (the “Dividend Cheque Module Test”); and (c) Manual code review of the additional modules (including the Dividend Cheque Module). 5 On 10 December 2018, the Organisation migrated from PTS to NPTS. As the tests mentioned at [4] did not detect any errors, the Organisation was unaware that the Dividend Cheque Module may not consistently extract a CDP Account Holder’s updated address. 6 On 20 March 2019, a CDP Account Holder complained that the Organisation had mailed a cheque for dividends to an outdated address (“First Incident”). The Organisation commenced investigations immediately. However, the Organisation’s technical team was unable to replicate the error and identify the issue that caused the First Incident. The results for the Dividend Cheque Module Test returned the correct addresses, including the complainant’s correct address. 7 Subsequently, on 12 April 2019, the Organisation’s customer service team received an email from the Monetary Authority of Singapore (“MAS”) in relation to a complaint (“Second Incident”). Meanwhile, notwithstanding that the Organisation’s technical team was unable to identify the issue that caused the First Incident, to further reinforce the programming logic, they introduced a defensive measure with a clause to consistently extract the updated addresses (the “Fix”). On 20 April 2019, the Organisation deployed the Fix into the production environment. 3 8 After several rounds of correspondence and additional information provided by MAS on 30 April 2019 in relation to the Second Incident, the Organisation realised that the issue pertaining to the First Incident and Second Incident may have a wider impact than originally anticipated. The Organisation conducted further investigations which revealed that all of the modules involving the retrieval of addresses were correctly coded except the Dividend Cheque Module. The error in the code in the Dividend Cheque Module (which resulted in the programme logic not consistently extracting a CDP Account Holder’s updated address) had caused the First Incident and Second Incident. Due to the implementation of the Fix as mentioned at [7], the error had been permanently resolved by this time. 9 According to the Organisation, 542 CDP Account Holders were due to receive dividend cheque mailers, and had previously updated their addresses. Out of the 542 CDP Account Holders whose personal data was at risk of unauthorised disclosure, the Organisation confirmed that 331 CDP Account Holders had presented their dividend cheques, indicating that their dividend cheque mailers had been sent to the correct addresses. By deduction, there were accordingly 211 CDP Account Holders (“Affected Individuals”) whose dividend cheque mailers were sent to outdated addresses. 10 The information disclosed in the dividend cheque mailers (collectively, “Disclosed Data”) were: 11 (a) Name of client; (b) NRIC number; (c) Central Depository (Pte) Limited (“CDP”) account number; (d) Name of security; (e) Quantity of security held; and (f) Dividend amount. During the course of its investigations into the First Incident and Second Incident, the Organisation took the following remedial actions: 4 (a) On 20 April 2019, introduced an additional measure to ensure that the updated address of CDP Account Holders would be extracted in the Dividend Cheque Printing Module; (b) Reviewed all modules which interfaced with NPTS and which involved the extraction of addresses to confirm that the error was specific only to the Dividend Cheque Module; and (c) Re-issued replacement cheques and explanation letters to the Affected Individuals. 12 In addition, the Organisation will also be conducting refresher training to ensure that its teams report issues under their respective purview as soon as practicable (even when similar type of issues had previously been raised), so that necessary follow up action may be taken. Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 13 It is undisputed that the Disclosed Data constitutes “personal data” as defined in section 2(1) of the Personal Data Protection Act 2012 (“PDPA”), and the Organisation had possession and/or control over the Disclosed Data at all material times. 14 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. The fact that the Disclosed Data included NRIC numbers and personal data of a financial nature (i.e. CDP account number, name and quantity of security held, and dividend amount) is relevant in assessing the standard of reasonable security arrangements required. As emphasized in previous decisions, when it comes to the protection of personal data of a sensitive nature, stronger security measures must be put in place due to the actual or potential harm, and the severity of such harm, that may befall an individual from an unauthorised use of such data. 2 Having in mind the sensitivity of the Disclosed Data, the Organisation failed to put in place 2 See for example, Re Credit Counselling Singapore [2017] SGPDPC 18 at [25]; Re Aviva Ltd [2018] SGPDPC 4 at [17]; DS Human Resource Pte. Ltd. [2019] SGPDPC 16 at [9(c)]; and AIA Singapore Private Limited [2019] SGPDPC 20 at [12]. 5 reasonable security arrangements to protect the Disclosed Data for the reasons explained below. 15 When the Organisation migrated from PTS to NPTS, it had an obligation to conduct proper and adequate testing of the NPTS and its implementation that simulated real world usage of the system. This was critical in order to prevent errors from compromising the security of the Disclosed Data. In particular, and as mentioned at [3], the NPTS had a new feature which kept records of both the updated addresses of CDP Account Holders as well as their historical addresses, and the Organisation was relying on the NPTS and its customised additional modules to extract the correct address when generating the dividend cheque mailers. 16 The Commission’s investigations revealed that the Organisation failed to conduct sufficient testing before migrating from PTS to NPTS for the following reasons: (a) First, the scope of the testing for the Dividend Cheque Module was too narrow and did not include the scenario of change of address. This omission was unacceptable given that (i) change of address was a known scenario (which was tested in the module with respect to generation of notification letters that acknowledged change of address); and (ii) the Organisation relied on the Dividend Cheque Module to extract the updated address and automate the generation of dividend cheque mailers; (b) Secondly, the Organisation should have tested the Dividend Cheque Module in an environment that simulated real world usage of the system. This required the Organisation to not only scope the tests to include the change of address scenario, but also to have a sufficient number of test cases to properly test these scenarios; and (c) Thirdly, the Organisation had conceded that there was a “reasonable chance” that the error in the Dividend Cheque Module may have been detected if the scope of the tests had included the change of address scenario with a sufficient number of tests cases. 17 For the reasons above, the Commissioner found the Organisation in breach of section 24 of the PDPA. 6 Representations by the Organisation 18 In the course of settling this decision, the Organisation made representations on the amount of financial penalty that was to be imposed. The Organisation raised the following factors for consideration: (a) The Organisation had expended its best efforts in testing: (i) Prior to migration from PTS to NPTS, the Organisation carried out the Notification Letter Test and the Dividend Cheque Module Test. Both tests did not return any errors. In view of this, the Organisation did not contemplate further targeted testing at the material time. (ii) Even if the Organisation had expanded the scope of the Dividend Cheque Module Test to cover the change of address scenario and increased the relevant test cases, such testing may have still failed to reveal the defect. In this regard, after being informed of the First Incident, the Organisation was unable to replicate the error through repeated testing with real world cases. (b) There was no risk of actual financial loss. (i) The dividend cheques were made out to the names of the Affected Individuals and could only be encashed into accounts bearing such names. (ii) The Disclosed Data of each Affected Individual was disclosed only to a single recipient, as opposed to the world at large. The Disclosed Data was also insufficient, in and of itself, to be used by a recipient to impersonate or execute any transaction in the name of an Affected Individual. (iii) The Organisation used a specific envelope for the mailing of dividend cheques to minimise unauthorised access to the Disclosed Data, save in wilful circumstances. Each envelope was marked “Private & Confidential” and “To be opened by addressee only”. A return address was printed on the face of the envelope, to cater for the event that the letter was not properly delivered to the addressee. 7 (c) Upon establishing the number of dividend cheques affected on 3 May 2019, the Organisation promptly notified the Affected Individuals and the Commission. The Organisation also took proactive and prompt remedial steps at [11]. (d) The financial penalty imposed should be consistent with the Commission’s previous decisions and commensurate with the scale of the Incident. Taking into consideration the number of Affected Individuals in the present case and financial penalties imposed in the Commission’s previous decisions involving similar number of affected individuals, a warning would suffice. In the alternative, the Organisation submitted that any financial penalty imposed should not exceed $5,000. 19 Having carefully considered the representations, the Commissioner has decided to maintain the financial penalty set out at [21] for the following reasons: (a) As explained in [15] to [16], the Organisation failed to conduct sufficient testing before migrating from PTS to NPTS. The module that generated notification letters acknowledging a change of address was coded independently from the Dividend Cheque Module. The Organisation should not have relied on test results from the Notification Letters Test as assurance that there were no errors in the Dividend Cheque Module, and it would consistently extract a CDP Account Holder’s updated address. (b) The Organisation’s representations that there was no risk of financial loss cannot be accepted. Although the risk of financial loss was reduced because the dividend cheques were made out to the names of the Affected Individuals, there was still a risk of fraud i.e. the unauthorised individuals who received the dividend cheque mailers could have fraudulently altered the names on the dividend cheques and presented them for encashment. In addition, for the period between the Incident and the Organisation issuing the replacement cheques, the Affected Individuals would have been deprived of the use of funds they would have otherwise access to. As for the Organisation’s representations on the specific envelopes used for the mailing of dividend cheques, the fact that the dividend cheques mailers were sent to unauthorised individuals meant that there was a risk of further unauthorised access, use and disclosure of the Disclosed Data. 8 (c) The Organisation’s voluntary notification of the Incident to Affected Individuals and the Commission, as well as the Organisation’s proactive and prompt remedial steps had already been taken into consideration in determining the financial penalty at [21]. (d) With respect to the Organisation’s representations comparing the present case to earlier decisions, it needs only to be said that each decision is based on the unique facts of each case. The decision in each case takes into consideration the specific facts of the case so as to ensure that the decision and direction(s) are fair and appropriate for that particular organisation. The Commissioner’s Directions 20 In the assessment of the breach and determination of the directions, if any, to be imposed on the Organisation under section 29 of the PDPA, the fact that the Affected Individuals were put at risk of actual financial loss was an aggravating factor. The dividend cheques mailers were sent to outdated addresses and there was a risk that they may have been banked in by unauthorised persons. The Affected Individuals would also have been deprived of the use of the funds they would have otherwise access to, had they received and banked in the dividend cheques. On the other hand, the following mitigating factors were also considered: (a) the Organisation took prompt remedial actions to rectify the error and mitigate the effects of the breach; and (b) 21 the Organisation was cooperative with the Commission’s investigations. In consideration of the relevant facts and circumstances, the Commissioner hereby directs the Organisation to pay a financial penalty of $32,000 within 30 days from the date of the directions, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. The Commissioner has not set out any further directions given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 9 ",Financial Penalty,c533793aa9a8e3bfcebfd59e65b4ee2051754090,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,101,101,1,952,"A financial penalty of $10,000 was imposed on MDIS Corporation for failing to put in place reasonable security arrangements to protect the personal data of individuals on its website. These individuals had provided their personal data to MDIS Corporation for registration purposes to attend its courses.","[""Protection"", ""Financial Penalty"", ""Education"", ""Public access"", ""Database""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MDIS-Corporation-Pte-Ltd---17032020.pdf,Protection,Breach of the Protection Obligation by MDIS Corporation,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-mdis-corporation,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 11 Case No DP-1905-B3832 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And MDIS Corporation Pte Ltd. … Organisation DECISION MDIS Corporation Pte Ltd [2020] SGPDPC 11 Tan Kiat How, Commissioner — Case No DP-1905-B3832 17 March 2020 Introduction 1 On 2 May and 17 June 2019, the Personal Data Protection Commission (the “Commission”) received two complaints from an individual (the “Complainant”) in relation to a Microsoft Excel spreadsheet (the “Spreadsheet”) containing personal data of individuals who had signed up for courses with MDIS Corporation Pte Ltd (the “Organisation”). The Complainant was able to access the Spreadsheet through a Google search of her NRIC number on 2 May and 17 June 2019 (the “First Incident” and “Second Incident” respectively). Facts of the Case 2 The Organisation is a not-for-profit, professional institute for lifelong learning. The Organisation’s server and webpage were maintained by a web development vendor (the “Vendor”). In October 2017, the Organisation engaged the Vendor to develop its website (the “Website”) to include a content management system (“CMS”) for the Organisation to manage training and courses provided, and an online registration form (the “Form”) for course participants to provide their personal data. The purpose of the Form was for the Organisation to use the personal data collected to identify course attendees, create certificates for individuals who had completed their courses and verify their details for the purposes of claiming SkillsFuture credits. The Vendor subsequently engaged a freelance developer based in India (the “Developer”) to assist in developing the Website. 3 There were no written contracts between (i) the Organisation and the Vendor; and (ii) the Vendor and the Developer setting out the parties’ respective scope of work and responsibilities with respect to the development of the Website. During development of the Website, the Organisation conveyed its instructions for the Website via telephone to the Vendor, and the Vendor acted as the middleman between the Organisation and the Developer. From time to time, the Organisation would also contact the Developer directly. 4 In December 2017, the Organisation and the Vendor carried out pre- launch testing on the Website (including the Form). In September 2018, the Organisation approved the Website for launch and the Website went “live” shortly after. Between September 2018 and February 2019, the Vendor assisted to rectify various features on the Website that were not developed to the Organisation’s expectations. The Organisation terminated the Vendor’s engagement in or around February 2019 as it was not satisfied with the Vendor’s service. 5 The First Incident occurred on 2 May 2019 when the Complainant entered her NRIC number into a Google search. The search result was a URL link displaying partial information about the Complainant, including NRIC number, email address and mobile phone number (the “Spreadsheet Link”). The Complainant clicked on the Spreadsheet Link which led to the Spreadsheet containing the following information of 304 individuals including the Complainant’s (the “Disclosed Data”): (a) Name; 2 6 (b) Designation; (c) Citizenship; (d) NRIC number / identification number (for foreigners); (e) Email address; (f) Name of Company name that the individual worked for; (g) Registration type; (h) Contact number; (i) Billing address; (j) Country; (k) Contact person; and (l) Course title, course code and date. On the same day, the Complainant notified the Commission and the Organisation about the First Incident. The Organisation promptly took the following remedial actions: (a) Blocked the CMS administrative backend; (b) Inserted a “robot.txt” file to prevent search engines from crawling the Website; and (c) Submitted a removal request to Google to ensure cached versions of Spreadsheet Link would be removed from search results. 3 7 In addition, as part of the Organisation’s investigations, it periodically removed the blockage on the CMS administrative backend to test and replicate the First Incident. 8 The Second Incident occurred on 17 June 2019 when the Complainant entered her NRIC number into a Google search and was again able to access the Spreadsheet Link and Spreadsheet. According to the Organisation, the Second Incident occurred because the Complainant carried out the Google search of her NRIC number at the same time that the Organisation had removed the blockage on the CMS administrative backend to conduct tests on the First Incident. 9 As of 19 June 2019, the Organisation’s newly appointed vendor deployed security patches on the Website and removed the codes that caused the First Incident and Second Incident. As part of the Organisation’s remedial actions, a new backend system for the Website will also be deployed. The Commissioner’s Findings and Basis for Determination 10 As a preliminary point, the Organisation owned the Website and was in possession and control of the Disclosed Data (collected through the Form) at all material times. While the Vendor and the Developer were engaged to develop the Website, the Organisation confirmed that neither of them processed the Disclosed Data on the Organisation’s behalf. Both the Vendor and Developer were accordingly not data intermediaries, and the responsibility to protect the Disclosed Data fell squarely and solely on the Organisation. 11 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, 4 modification, disposal or similar risks. The Organisation failed to put in place reasonable security arrangements to protect the Disclosed Data for the reasons explained below. 12 First, the Organisation failed to communicate any data protection requirements to the Vendor or the Developer. (a) The Organisation conceded that it did not have a written contract with the Vendor in relation to the development of the Website. There was also no written contract between the Vendor and Developer. As emphasized in previous decisions and the Commission’s Guide on Building Websites for SMEs (revised 10 July 2018) at [4.2.1], organisations that engage IT vendors to develop and/or maintain their websites should ensure that their IT vendors are aware of the need for personal data protection by making it part of their contractual terms.1 (b) According to the Organisation, it had verbally communicated data protection requirements to the Vendor and Developer. In contrast, the Vendor asserted that there was no such communication. As the data controller and customer, the Organisation ought to be clear about the scope of services that it is procuring from its service providers, and document the scope properly in contract and other project documentation.2 In this case, the Organisation was not able to produce anything in writing to corroborate its assertions. In the circumstances, the Commissioner finds that the Organisation failed to communicate data protection requirements to the Vendor and Developer. 1 See for example Re EU Holidays Pte Ltd [2019] SGPDPC 38 at [11]. 2 Re Royal Carribean Cruises (Asia) Pte Ltd [2020] SGPDPC 5 at [12] 5 (c) Given that one of the purposes of developing the Website was to collect Disclosed Data through the Form, the Organisation’s failure to specify clear requirements with respect to the protection of personal data is particularly glaring. 13 Second, prior to the launch of the Website, the Organisation failed to take reasonable steps to scope the pre-launch testing to discover risks to the Disclosed Data that was collected through the Form. As a result, the vulnerability in the CMS administrative backend of the Website (which allowed Google to crawl and index the Spreadsheet Link) remained undetected prior to the First Incident. (a) Websites connected to the Internet are subject to a multitude of cyber threats that may compromise the website and expose any personal data collected. The Commissioner takes this opportunity to reiterate that organisations should ensure protection of personal data and the security of the website is a key design consideration at each stage of the website’s life cycle, including requirements gathering, design and development, UAT, deployment and operations support.3 (b) The Commission’s investigations revealed that the pre-launch testing conducted prior to launch of the Website focused on its functionality. According to the Organisation, it believed that the password protection to the administrative panel was “secure enough”. In this regard, the Organisation admitted that it did not inform the 3 See Commission’s Guide on Building Websites for SMEs (revised 10 July 2018) at [3.2 – 3.3] and Re Horizon Horizon Fast Ferry Pte. Ltd. [2019] SGPDPC 27 at [26] 6 Vendor of the requirement to secure personal data collected through the Form. (c) The omission to include security testing prior to the launch of the Website is particularly concerning given that: (i) The purpose of the Form was to collect Disclosed Data from individuals participating in the Organisation’s courses; and (ii) The Organisation knew that the administrative panel had an export function which collated the Disclosed Data (entered by course participants in the Form) into the Spreadsheet. The export function could be triggered either by clicking on the export button in the administrative panel or by clicking on the Spreadsheet Link. The Spreadsheet link was not intended to be publicly available and should have only been accessible with valid login credentials. (d) In the circumstances, the Organisation should have scoped the pre-launch testing to verify that password protection measures on the administrative panel and the login credentials on the Spreadsheet Link operated as intended. 14 During the course of the Commission’s investigations, the Organisation asserted that it was not an IT services provider, and therefore had relied on its Vendor to identify the risks and implement the appropriate security measures for the Website. This is not an acceptable explanation. It should be reiterated that while organisations may delegate work to vendors to comply with the PDPA, the organisation’s responsibility for complying with statutory 7 obligations under the PDPA may not be delegated.4 While an organisation may not have — or need to have — the requisite level of technical expertise, a responsible organisation would have engaged competent service providers and made genuine attempts to give proper instructions.5 The Organisation is only expected to articulate its business requirements as owner of the system, which the service provider can translate into technical requirements. In addition, as the data controller, the Organisation is required to exercise reasonable oversight to ensure that its instructions are carried out.6 In this case, and as mentioned at [12], the Organisation failed to provide any data protection instructions to either the Vendor or the Developer. The Commission’s investigations also revealed that the Organisation did not exercise reasonable oversight in respect of the security arrangements for the Website. 15 For the reasons above, the Commissioner finds the Organisation in breach of section 24 of the PDPA. The Commissioner’s Directions 16 In determining the directions, if any, to be imposed on the Organisation under Section 29 of the PDPA, the Commissioner took into account the following mitigating factors: 4 Re WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 at 23; Re National Healthcare Group [2019] SGPDPC 46 at [17] 5 Re WTS Automotive Services Pte Ltd [2018] SGPDPC 26 at [24]; Re DS Human Resource Pte. Ltd. [2019] SGPDPC 16 at [15]. 6 Re Smiling Orchid (S) Pte Ltd and others [2016] SGPDPC 19 at [51] 8 (a) The Organisation was cooperative in the course of the Commission’s investigations and provided prompt responses to the Commission’s requests for information; (b) The Organisation implemented prompt remedial actions; and (c) The unauthorised disclosure of the Disclosed Data was only to the Complainant. 17 The Commissioner also took into account, as an aggravating factor, that the Disclosed Data was exposed to the risk of unauthorised disclosure for a period of approximately 6 months.7 18 Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to pay a financial penalty of S$10,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until it is paid in full. 19 The Commissioner has not set out any further directions given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 7 The approximate period of 6 months was between November 2018 (when individuals started signing up for courses on the Website using the Form) and June 2019 (when security patches were deployed to fix the vulnerabilities on the Website). 9 ",Financial Penalty,25ed2dfd0034231d7bc91c9c8c2ca09ccadc268f,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,102,102,1,952,A warning was issued to MCST 3400 for failing to put in place reasonable security arrangements to prevent the unauthorised access of 562 individuals’ personal data stored in an internal directory.,"[""Protection"", ""Warning"", ""Real Estate"", ""MCST"", ""Directory"", ""Security"", ""Public access""]",2020-08-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MCST-3400-17032020.pdf,Protection,Breach of the Protection Obligation by MCST 3400,https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-mcst-3400,2020-08-03,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 10 Case No. DP-1909-B4797 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Management Corporation Strata Title Plan No. 3400 … Organisation DECISION Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1909-B4797 17 March 2020 Introduction 1 On 2 September 2019, the Personal Data Protection Commission (the “Commission”) was notified that a directory containing personal data belonging to Management Corporation Strata Title Plan No. 3400 (the “Directory”) was accessible on the Internet by any member of the public (the “Incident”). Facts of the Case 2 In April 2012, Management Corporation Strata Title Plan No. 3400 (the “Organisation”) purchased a Network Attached Storage Device (the “NAS”) for the purposes of internal file sharing among its administrative staff over a local network. The Directory was one of the files stored on the NAS. The 2 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 Organisation did not intend for the NAS to be connected to the Internet. Prior to the Incident, the Organisation was unaware that the Directory could be accessed via an Internet Protocol address without the need for any login credentials. 3 The Directory contained personal data of 562 individuals collected for the purposes of complying with the Building Maintenance and Strata Management Act, the Building Maintenance (Strata Management) Regulations 2005, as well as to contact subsidiary proprietors of the Organisation. 4 The following types of personal data of the Affected Individuals were exposed to the risk of unauthorised disclosure (collectively, the “Disclosed Data”): (a) 12 council members of the Organisation: Name; NRIC / Passport Number; Contact number; Email address; and (b) 550 subsidiary proprietors of the Organisation: Name; Email address; Contact number; Block and Unit number; Change of property 3 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 ownership details; Identity of resident; Statement of accounts; Car plate numbers; Figures in relation to share values/arrears.1 5 Upon being informed of the Incident by the Commission on 2 September 2019, the Organisation promptly disconnected the NAS from the Internet on the same day. Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 6 In today’s digital age, many organisations are moving towards paperless offices. Through digitisation, an increasing amount of information (including personal data) is stored electronically and online. This has resulted in a higher risk of data breaches involving IT security vulnerabilities. In the past few years, the Commission has investigated data breaches involving Insecure Direct Object References2, SQL injection vulnerability3, and absence of directory 1 The types of personal data collected from the 550 subsidiary proprietors varied. This was because apart from the mandatory requirement to provide their names, the other types of personal data were optional fields. 2 See Re InfoCorp Technologies Pte. Ltd. [2019] SGPDPC 17 and Re Singapore Telecommunications Limited [2019] SGPDPC 36. 3 See Re Metro Pte Ltd [2016] SGPDPC 7; Re Ncode Consultant Pte Ltd [2019] SGPDPC 11; and Re Creative Technology Ltd [2020] SGPDPC 1. 4 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 access controls4. Given the increasing number of cases involving IT security vulnerabilities, including the present one, I would like to take this opportunity to highlight some of the measures that organisations could implement in order to comply with their obligations under Section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 7 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). In my view, the Organisation failed to put in place reasonable security arrangements to protect the Disclosed Data and was in breach of the Protection Obligation for the reasons explained below. 8 In an IT security context, timely detection of risks to personal data is key to an organisation’s compliance with the Protection Obligation. As explained and discussed below, there are two key measures that organisations should implement to detect IT security vulnerabilities. 4 See Re Fu Kwee Kitchen Catering Services & anor [2016] SGPDPC 14; Re Tutor City [2019] SGPDPC 5; Re Advance Home Tutors [2019] SGPDPC 35; Re SearchAsia Consulting Pte. Ltd. [2019] SGPDPC 40; and Re Society of Tourist Guides (Singapore) [2019] SGPDC 48. 5 Management Corporation Strata Title Plan No. 3400 9 [2020] SGPDPC 10 First, organisations should conduct code reviews5 and pre-launch testing6 before new IT features or changes to IT systems are deployed. These processes allow organisations to pick up and rectify errors and/or flaws in the new IT features and/or systems prior to deployment. There have been a number of cases where errors in the application code resulted in the unintended disclosure of personal data or unintended access to personal data: see, for example, Re Singapore Telecommunications Limited [2019] SGPDPC 367, and Re Flight Raja Travels Singapore Pte Ltd [2018] SGPDPC 168. This is particularly important if the new IT feature is accessible from the Internet, and therefore exposed to a “multitude of cyber threats that may compromise the website and expose any personal data [the organisation] collects” 9. 5 Depending on the complexity and scope of the new code/system, organisations may conduct the code reviews manually, or with the appropriate automated code review software and tools. 6 This may include load testing, stress testing and/or integration testing. There was unauthorised disclosure of personal data of the organisation’s customers due to a direct object reference vulnerability (which was a design issue in the organisation’s mobile app’s application programming interface). 7 8 The organisation introduced a new mobile application that allowed access to the online booking system through mobile devices without login. This resulted in some of the organisation’s customers having unauthorised access to booking records (containing personal data) of other customers. 9 See Re Horizon Fast Ferry Pte. Ltd. [2019] SGPDPC 27 at [26]. 6 Management Corporation Strata Title Plan No. 3400 10 [2020] SGPDPC 10 Second, organisations should conduct periodic security reviews of its IT systems10. The comprehensiveness of such security reviews should be scoped based on the organisation’s assessment of its data protection needs. For example, periodic security reviews would not typically include penetration tests for most systems that are within the internal corporate network. However, organisations with Internet-facing IT systems that contain personal data that is sensitive in nature should consider conducting penetration testing as part of their periodic security reviews. 11 Generally, as part of the periodic security review of its IT systems, organisations should avail themselves of up-to-date online vulnerability scanning tools, and are expected to acquire reasonable proficiency in their use or seek assistance by engaging vendors with the appropriate expertise11. The use of such tools provides organisations a reasonable chance of detecting common security vulnerabilities in their IT systems12. 10 As set out by the Commissioner in a number of previous decisions, including Re WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 at [18], Re Bud Cosmetics [2019] SGPDPC 1 at [24] and Re Chizzle Pte. Ltd. [2019] SGPDPC 44 at [6] to [8]. 11 See Re WTS Automotive Services Pte Ltd [2018] SGPDPC 26 at [24], and Re DS Human Resources Pte Ltd [2019] SGPDPC 16 at [15(a)]. 12 For example, see the OWASP Top Ten at: https://owasp.org/www-project-top-ten/. 7 Management Corporation Strata Title Plan No. 3400 12 [2020] SGPDPC 10 As a complement to the use of up-to-date online vulnerability scanning tools, the periodic security review of an organisation’s IT systems should also include a manual component. This would include review of password management policies13, archival of personal data that no longer needs to be stored online to near-line or off-line storage14, and purging of personal data that no longer serves any legal or business purpose for the organisation. 13 In addition, it is important for an organisation to be aware of and track its personal data assets. The creation and maintenance of a personal data asset register (i.e. a record identifying all personal data in the organisation’s possession or control) is a good practice that would assist organisations to comply with the Protection Obligation. An up-to-date personal data asset register provides the organisation with an accurate record of all the personal data in its possession or control, and enables the organisation to ensure its periodic security reviews covers the personal data assets. It also enables the organisation to more effectively review the implementation of its data protection policies, for example, the access control list setting out the employees who have access to the IT systems the personal data asset is stored in, whether 13 See Re GlogbalSign.in Pte Ltd [2019] SGPDPC 43. 14 See Re Orchard Turn Developments Pte. Ltd. [2017] SGPDPC 12. 8 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 the internal business owner of the personal data asset has reviewed it for data quality issues15, and initiating the process for disposing personal data that have reached the end of its life cycle within the organisation. 14 In the present case, the Organisation admitted that it had not conducted any security reviews of its IT systems, including the NAS and the Directory. Consequently, it was unaware of their configuration which allowed access from the Internet without any form of access control. The Organisation ought to have formulated a policy for the NAS and the Directory, implemented the IT security practices that gives effect to the policy and conducted periodic security reviews to ensure that the practices are adequate. For example, if the intention was to permit access to the NAS and the Directory from the Internet, then the policy should establish who should have access and the level of sensitivity of the personal data; the IT security practices would then implement the right level of security measures to control access to the personal data and protect the personal data during its transmission. On the contrary, if the intention was to restrict the NAS and the Directory to the internal corporate network, then the practices to implement this policy would include considerations like whether the NAS and 15 This includes aspects like whether the personal data is accurate and how recently it was updated: see The Commission’s Model ArtificiaI Intelligence Governance Framework (Second Edition) at page 38. 9 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 the Directory was connected to the right segment of the corporate network and whether their configuration was effective in limiting access to users from within the corporate network. In view of the Organisation’s admission, and the lack of any security measures to protect the Disclosed Data stored in the Directory, I find the Organisation in breach of section 24 of the PDPA. Conclusion 15 In determining the directions, if any, to be imposed on the Organisation under section 29 of the PDPA, I took into account the following mitigating factors: (a) The majority of the Affected Individual’s Disclosed Data exposed to risk of unauthorised access, use and/or disclosure related only to contact information; (b) The Organisation’s took prompt remedial action to disconnect the NAS from the Internet; and (c) There was no evidence of actual misuse or exfiltration of the Disclosed Data. 16 Having considered all the relevant factors of this case, I have decided to issue a warning to the Organisation for the breach of its obligations under 10 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 section 24 of the PDPA. No directions are required in view of the prompt remedial action implemented by the Organisation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Warning,315029b0a5e1ce7489dea7f836f1f9a64435e6bc,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"