_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,82,82,1,952,Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings.,"[""Protection"", ""Directions"", ""Others"", ""Text messages"", ""Mobile numbers"", ""Protection""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Security-Masters-Pte-Ltd---21072020.pdf,Protection,Breach of the Protection Obligation by Security Masters,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-security-masters,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2002- B5875 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Security Masters Pte Ltd SUMMARY OF THE DECISION 1. On 17 February 2020, Security Masters Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a security employee had used the mobile phone numbers of eight building visitors to contact them to request their return of visitor passes and send them Chinese New Year greetings. 2. Investigation found that the Organisation did not put in place any standard operating procedure or guidelines for the retrieval and use of visitors’ personal data prior to the incident. This gap in security arrangements allowed the incident to occur. 3. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. 4. Following the incident, the Organisation restricted access to personal data to senior personnel and required all security personnel to sign an undertaking not to contact visitors in their personal capacity. However, structured training is needed to help its security personnel understand the importance of protecting the personal data they handled daily in their duties, such as National Registration Identification Card numbers, photographs and closed-circuit television footage. 5. On the above consideration, the Deputy Commissioner for Personal Data Protection hereby directs the Organisation to: a) Within 60 days from the date of the direction, revise its training curriculum to ensure that its security personnel understand i. the rationale for personal data protection; ii. the importance of consent and authorisation in the handling of personal data; and iii. the circumstances in which it would be appropriate to use and disclose personal data on social media platforms for work-related purposes; and b) Inform the Commission within 1 week of implementation of the above. ",Directions,e24e6989567857bec320cd7ad6365fd535330a52,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,83,83,1,952,A warning was issued to Interauct! for retaining personal data which was no longer necessary for legal or business purposes.,"[""Retention Limitation"", ""Warning"", ""Others"", ""Backup files"", ""Server migration""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Interauct-Pte-Ltd---04082020.pdf,Retention Limitation,Breach of the Retention Limitation Obligation by Interauct!,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-retention-obligation-by-interauct,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1911-B5268 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Interauct! Pte Ltd SUMMARY OF THE DECISION 1. Interauct! Pte Ltd (the “Organisation”) operated an online mobile number auction (the “Auction”) for a telecommunications provider (the “Telco”). This arrangement started in the year 2000 and ended in 2018. 2. In November 2019, the Commission was informed that the Telco’s cybersecurity team had located an internet sub-domain containing files with the personal data of individuals who had participated in the Auction (the “Files”). The Files contained the following types of personal data: a. Name; b. ID (such as passport or NRIC number); c. Mobile number; d. Address; e. Date of birth; and f. Email address. 3. The Commission’s investigations revealed the following: a. The Organisation had engaged a vendor to provide web hosting services for the Auction. In 2012 and 2016, the vendor conducted server migration exercises. On both occasions, the Organisation created backups of the Files prior to server migration exercises and uploaded them on the vendor’s servers. The Organisation did not delete the Files after the server migration were completed; b. In April 2019, the vendor misconfigured its servers. As a result, the Files became accessible on the internet sub-domain. However, to access this sub-domain requires an individual to key in either one of two URLs exactly. Both URLs were complex and lengthy. It was therefore difficult for an individual to determine the URLs exactly to enter the sub-domain. Indeed, an examination of server logs found that only the Telco had accessed the sub-domain; c. The Files contained a mix of individuals’ personal data, as well as dummy data used for testing purposes. An analysis of the Files showed that there were approximately 8,750 individuals’ personal data contained in them. The Telco compared the data with its customer records, and via a reconciliation process, was able to identify 3,380 individuals as its customers. In this regard, the Telco informed that it would have been very difficult for a third party, without access to the Telco’s customer records, to carry out such a reconciliation exercise. This means that even if an individual had accessed the Files, it would have been difficult to him to identify the individuals from the personal data in the Files; d. The Organisation deleted the Files within three hours of the Telco notifying the Organisation of their discovery of the internet sub-domain. The Organisation had also ensured that the vendor fixed the misconfiguration of the servers, which was done within six hours of the discovery of the internet sub-domain. 4. The Deputy Commissioner for Personal Data Protection (the “Deputy Commissioner”) finds that the Organisation had put in place, via the vendor, reasonable security arrangements to protect the personal data. In particular, the security arrangements in place would have prevented direct access by unauthorised third-parties to the Files hosted on the server. This had greatly reduced the potential adverse impact of the incident. 5. However, the Organisation admitted that there was no reason to retain the Files after the migration exercises were completed. If the Files had been duly deleted, the personal data in the Files would not have been compromised in the first place. The Deputy Commissioner therefore finds the Organisation in breach of the Retention Limitation Obligation under section 25 of the Personal Data Protection Act 2012. 6. After considering the facts and circumstances of the incident, including the fact that the personal data in the Files was ultimately not exposed, the Deputy Commissioner has decided to issue a warning to the Organisation for the breach of the Retention Limitation Obligation. No other direction is required as the breach has been remedied. ",Warning,5932047a3ee552243babdc8b5564ced3e448d87b,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,84,84,1,952,"A warning was issued to Chan Brothers Travel for failing to put in place reasonable security arrangements to protect the personal data of individuals on its website. The result was that the personal data of over 5,500 individuals were accessible through online web search engines.","[""Protection"", ""Warning"", ""Arts, Entertainment and Recreation"", ""Access control"", ""SEO indexing""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chan-Brothers-Travel-Pte-Ltd---21072020.pdf,Protection,Breach of the Protection Obligation by Chan Brothers Travel,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-chan-brothers-travel,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1905-B3936 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chan Brothers Travel Pte Ltd SUMMARY OF THE DECISION 1. On 23 May 2019, the Personal Data Protection Commission (the “Commission”) received a data breach notification from Chan Brothers Travel Pte Ltd (the “Organisation”) and a complaint from a member of the public. Both were in relation to personal data being at risk of unauthorised access through the Organisation’s website at http://chanbrotherstravelclub.force.com (the “Website”) (the “Incident”). 2. In March 2017, the Organisation purchased Community Cloud, a product of Salesforce.com Singapore Pte Ltd (“Salesforce”), to host the Website. The Organisation managed the Website internally. In August 2018, the Organisation engaged Aodigy Asia Pacific Pte Ltd (“Aodigy”) as an outsource vendor to maintain and improve the Website. 3. The Website provided three online forms for enquiries and feedback. These were the “Enquiry Form”, Feedback Form” and “Post-Tour Feedback Form” (collectively the “Forms”). The Forms collected the users’ names, email addresses and mobile phone numbers. 4. In March 2018, there was a software update released by Salesforce for Community Cloud. This software update included an automated search engine optimisation feature (the “SEO”). As the Website’s access configuration was set to “Public”, the Forms automatically inherited the same setting for the purpose of the SEO feature. The result was that the personal data of an estimated 5,593 individuals collected by the Forms were indexed and cached, and made searchable, through online web search engines. 5. Organisations that employ IT systems or features are responsible for data security. Organisations must acquire knowledge of the security settings and be aware of security implications of software features of their IT system, and they must configure the security settings to enable effective protection of personal data stored in the IT system. This responsibility extends to new features introduced by subsequent software releases. Organisations that lack the IT knowledge to discharge this responsibility should engage qualified assistance. 6. The Organisation failed to consider the implication of the “Public” setting of the Website on the security of the data collected by the Forms. It also failed to understand the function and operation of the SEO feature. The combination of these acts of omission resulted in the security issues arising leaving the SEO feature enabled. 7. The Organisation claimed not to have received any notification from Salesforce of the SEO release. However, this is contradicted by the following. First, the notes of the software release was published on the website of Salesforce. Second, Aodigy had (in its role as vendor for another project) received information of the release. On balance, it is therefore unlikely that Salesforce would have omitted to notify the Organisation about the software release. In any event, the software release was in March 2018 when the Organisation was still maintaining the Website internally. The responsibility to assess the security implications of the software release laid squarely on its shoulders during that 5-month period before Aodigy was engaged. 8. Further, there is some uncertainty over whether Aodigy was instructed to review the security configuration of the Website (including the new software features) as part of its maintenance services when it was engaged. The Organisation did not give clear instructions to Aodigy to assess the security configuration of the IT system as part of the maintenance services. 9. In the circumstances, the Deputy Commissioner for Personal Data Protection therefore found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and took into account the following factors in deciding to issue a Warning to the Organisation: a. The personal data at risk of disclosure was limited to names, email address and contact numbers, apart from an estimated 50 NRIC numbers. b. The Organisation voluntary notified the Commission of the Incident. c. Prompt co-operation in the course of the Commission’s investigations. 10. No directions are required as the Organisation took immediate steps to prevent the recurrence of the Incident. ",Warning,1371e96aee9b5458d29ef161ea0de43abb7b1200,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,85,85,1,952,"A financial penalty of $4,000 was imposed on Tanah Merah Country Club for failing to put in place reasonable security arrangements to protect the personal data of individuals stored on its electronic direct mail (“EDM”) system. The common password for login to the EDM system was weak and had not been changed since 2010. There were also no arrangements in place to ensure and enforce password strength, expiry and protection. An application for reconsideration was filed against the decision Re Tanah Merah Country Club. Upon review and careful consideration of the application, directions in the decision were varied.","[""Protection"", ""Financial Penalty"", ""Arts, Entertainment and Recreation"", ""EDM"", ""Password"", ""Weak password""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tanah-Merah-Country-Club---21072020.pdf,Protection,Breach of the Protection Obligation by Tanah Merah Country Club,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-tanah-merah-country-club,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4115 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tanah Merah Country Club Editorial note: An application for reconsideration was filed against the decision in Re Tanah Merah Country Club. Pursuant to this application, the Commissioner has decided to reduce the financial penalty imposed on the Organisation from $8,000 to $4,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. SUMMARY OF THE DECISION 1. On 19 June 2019, Tanah Merah Country Club (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) of unauthorised access to its electronic direct mail (“EDM”) system (the “Incident”). During the Incident, which occurred on 9 June 2019, the EDM system was used to send unauthorised spam emails. 2. The Organisation was unable to determine how unauthorised access was gained to the EDM system. During investigations, it was discovered that the common password for login to the EDM system was weak, as it comprised the initials of the Organisation and the year 2010 (which was the year that the EDM system was set up). The password was shared by at least 3 persons: 2 of the Organisation’s marketing staff and its technical support vendor. Further, it had not been changed since 2010. Investigations disclosed that there were no arrangements in place to ensure and enforce password strength, expiry and protection. 3. In the circumstances, although the means of unauthorised access to the EDM system was not determined, the evidence pointed to weak password control as the cause. The Deputy Commissioner for Personal Data Protection therefore found the Organisation in breach of section 24 of the Personal Data Protection Act 2012. 4. The Organisation is directed to pay a financial penalty of $8,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. In view of the remedial measures taken by the Organisation, the Commission will not issue any other directions. 5. The Organisation’s prompt co-operation in the course of the Commission’s investigation and its prompt actions taken to remediate the breach were taken into consideration in determining the quantum of the financial penalty. ",Financial Penalty,e641872fa69f2e946b7cb68cb7e884c4c88db9c2,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,86,86,1,952,"A financial penalty of $5,000 was imposed on Vimalakirti Buddhist Centre for failing to put in place reasonable security arrangements to protect the personal data of its members and non-members from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack.","[""Protection"", ""Financial Penalty"", ""Others"", ""Ransomware"", ""No measures""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Vimalakirti-Buddhist-Centre---04092020.pdf,Protection,Breach of the Protection Obligation by Vimalakirti Buddhist Centre,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-vimalakirti-buddhist-centre,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6193 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Vimalakirti Buddhist Centre SUMMARY OF THE DECISION 1. On 14 April 2020, Vimalakirti Buddhist Centre (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware infection that had rendered its data management system inaccessible by the Organisation (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of section 24 of the Personal Dara Protection Act (the “PDPA”). 3. The Incident occurred on or about 31 March 2020. Personal data of approximately 4,500 members and 4,000 non-members (total 8,500 individuals) were encrypted by the ransomware. The personal data encrypted included the name, address, contact number, NRIC number, date of birth and donation details of the individuals. 4. The Organisation admitted it did not give due attention to personal data protection, and had neglected to implement both procedural and technical security arrangements to protect the personal data in its possession and control. Consequently, it did not have the relevant security software and/or protocols in place to prevent the ransomware from entering its data management system. 5. In the circumstances, the Deputy Commissioner for Personal Data Protection finds the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 6. Following the incident, the Organisation set up a new server with backup from 21 October 2019. For the data collected by the Organisation from 22 October 2019 to the Incident, the Organisation had retrieved the data from physical file records and restored them in the new server. It also installed a firewall to filter network traffic to and from the new server, and cleaned, restored and reinstalled all computers connected to its data management system. Additionally, the Organisation committed to engage consultants to help produce a data protection manual and train its staff in cyber hygiene and incident response. 7. The Deputy Commissioner for Personal Data Protection notes that the Organisation had admitted to a breach of Protection Obligation under the PDPA, cooperated with the Commission’s investigation and taken prompt remedial action. There was no evidence that the personal data affected in the Incident had been misused in any form. In addition, the Organisation had a backup copy of the encrypted data and did not lose any data as a result of the Incident. Accordingly, the practice of having data backup(s) should be encouraged to prevent organisations from losing data in the event of ransomware. 8. On account of the above, the Deputy Commissioner for Personal Data Protection directs the Organisation to pay a financial penalty of $5,000 within 30 days from the date of this direction (failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full). 9. In view of the remedial actions taken by the Organisation, the Commission will not be issuing any other directions. ",Financial Penalty,e0f3f4b9ea5a6f7fe98f703d2b0a529a93f64315,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,87,87,1,952,A warning was issued to Horizon Fast Ferry for failing to put in place reasonable security arrangements to protect the personal data in the Organisation’s email account.,"[""Protection"", ""Warning"", ""Others"", ""Password policy"", ""Email account"", ""Phishing""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----Horizon-Fast-Ferry-Pte-Ltd---27082020.pdf,Protection,Breach of the Protection Obligation by Horizon Fast Ferry,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-horizon-fast-ferry,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1912-B5465 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (“Commission”) investigated a complaint against Horizon Fast Ferry Pte. Ltd. (the “Organisation”) where the Organisation’s email account, singapore@horizonfastferry.com (the “Email Account”) had sent out phishing emails to its customers (the “Incident”). 2. Investigations revealed that the computer used to access the Email Account was infected with malware. This caused the Email Account to send phishng emails to three customers. Each email contained only the personal data that the customer himself had sent to the Email Account to book ferry tickets. Hence there was no disclosure of other customers’ personal data in the phishing email. 3. The Organisation informed the Commission that it had implemented various security measures prior to the Incident such as updating their anti-virus software regularly. However, investigations revealed that the password to access the Email Account was shared by 11 employees of the Organisation and had not been changed for almost 3 years. This poor management of passwords fell short of what is reasonably required to protect the personal data in the Email Account. 4. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 for failing to implement reasonable security arrangements to protect the personal data in its possession or under its control. Upon consideration of the facts, a warning was issued to the Organisation. ",Warning,a9f0d524ae6cbf14f4db5cdf1e0ccba42e45b1e0,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,88,88,1,952,"A warning was issued to MRI Diagnostics for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of approximately 4,099 individuals which were publicly available via the internet. Directions were imposed on Clarity Radiology for failing to appoint a data protection officer and not having policies and practices necessary to comply with the PDPA.","[""Protection"", ""Warning"", ""Healthcare"", ""Excel spreadsheet"", ""Access restriction"", ""Patching"", ""Policies""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MRI-Diagnostics-Pte-Ltd-and-Other---22072020.pdf,Protection,Breach of the Protection Obligation by MRI Diagnostics and Breach of the Accountability Obligation by Clarity Radiology,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-mri-diagnostics-and-breach-of-the-accountability-obligation-by-clarity-radiology,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1811-B2975 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) MRI Diagnostics Pte Ltd (2) Clarity Radiology Pte Ltd SUMMARY OF THE DECISION 1. MRI Diagnostics Pte Ltd (“NovenaMRI”) operates a medical centre that provides magnetic resonance imaging and X-Ray services to patients. In the course of their business, NovenaMRI subscribed to an internet based teleradiology system (“System”) provided by Clarity Radiology Pte Ltd (“Clarity”). In-turn, Clarity engaged an overseas IT vendor (the “IT Vendor”) to maintain the System. 2. On 7 November 2018, a patient of NovenaMRI (“Complainant”) notified the Personal Data Protection Commission (the “Commission”) about an Excel Spreadsheet containing approximately 600 individual’s personal data (including the Complainant’s) that was accessible via the internet (the “Incident”). 3. During the course of investigations, the Commission found two additional Excel Spreadsheets containing similar information as the Excel Spreadsheet reported by the Complainant. A total of approximately 4,099 individuals were affected by the Incident (“Affected Individuals”). The Affected Individuals’ personal data that was exposed to unauthorised access included their names, NRIC numbers and the type of radiology scans performed (collectively, the “Personal Data Sets”). 4. The Commission’s investigations revealed that the Incident was caused by a lapse in the IT Vendor’s processes while carrying out maintenance work on the System. In particular, the IT Vendor had removed access restrictions to a network folder containing the Excel Spreadsheets for the purposes of patching the System, and omitted to reinstate the access restrictions after the patching was completed. Without access restrictions, the Excel Spreadsheets (containing the Personal Data Sets) were indexed by Google’s search engines and exposed to unauthorised access. 5. NovenaMRI was an organisation who had collected the Personal Data Sets from its patients, and had control of the Personal Data Sets at all material times. 6. Section 24 of the Personal Data Protection Act (“PDPA”) requires organisations like NovenaMRI to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). In this regard, the Deputy Commissioner for Personal Data Protection (“Deputy Commissioner”) finds NovenaMRI in breach of the Protection Obligation because: (a) When an organisation engages a vendor to supply, modify and/or maintain its IT system, it is required to provide the vendor with sufficient clarity and specifications on the requirements to protect personal data. This is because even if the vendor was not engaged to process personal data on the organisation’s behalf, it may nevertheless handle the personal data incidentally or make decisions that affect the security of the personal data in the course of providing its services. Depending on the circumstances of each case, the organisation should articulate its business requirements concerning the protection of personal data that the IT system will store. This will enable the vendor to assess and recommend the most appropriate and effective method to protect personal data. The organization will then be able to make a decision with access to the right information. Examples of measures include having clauses in written agreements setting out clearly the vendor’s obligations to protect personal data, providing operational guidance and verifying the data protection arrangements implemented by the vendor and/or exercising some form of supervision and oversight over the vendor’s activities; (b) Given the nature of NovenaMRI’s business, which entailed being in possession and/or control of personal data of a sensitive nature (e.g. radiology scans and X-Rays), NovenaMRI should also have conducted a proper assessment of its vendor to satisfy itself that the vendor is wellplaced to protect the personal data it hosts. For example, NovenaMRI could have obtained documentary evidence that the vendor had complied with industry standards with respect to information security (eg the ISO 27001 standard). However, in this case, there was no evidence that NovenaMRI had conducted proper due diligence of the security standards put in place by Clarity, prior to subscribing to the System that provided cloud-based services, including hosting the Personal Data Sets; (c) Although NovenaMRI claimed that it had a written agreement with Clarity, it was unable to produce supporting evidence of this. NovenaMRI’s claim was also disputed by Clarity, who had admitted that there was no written agreement between the parties. In addition, even after NovenaMRI had engaged Clarity, NovenaMRI did not take any steps to verify if Clarity had implemented any data protection arrangements with respect to the System which hosted the Personal Data Sets. 7. As for Clarity, the contracted services from Clarity to NovenaMRI were to provide an archive for Dicom Images and a Web-based radiology information system with scheduling, registration, billing and client access modules. Essentially, Clarity was a “Software as a Service” provider (or what is commonly known as “SaaS-provider”) who had provided its cloud-based services to NovenaMRI. The provision of such technical solutions or deployment of software integrated into the clinical devices of NovenaMRI did not entail the processing of personal data. As such, Clarity was a vendor of NovenaMRI, and not a “data intermediary” of NovenaMRI. As a vendor, Clarity was not responsible for the protection of the Personal Data Sets under the PDPA in respect of the Incident. 8. However, during the course of investigations, Clarity admitted that it had failed to appoint a data protection officer and had not developed or put in place any data protection policies, as required under Sections 11(3) and 12 of the PDPA. Accordingly, Clarity is in breach of Sections 11(3) and 12 of the PDPA. 9. After considering the circumstances of the case, the Deputy Commissioner’s decisions are as follows: (a) to issue a warning to NovenaMRI for its breach of the Protection Obligation. No further directions are necessary as NovenaMRI has ceased its business relationship with Clarity; and (b) to direct that Clarity shall, within 30 days from the date of this decision: i. Appoint a data protection officer; ii. Develop and implement a data protection policy to comply with its obligations under the PDPA; and iii. Inform the Commission within 7 days of the completion of each of the above directions. ",Warning,8906873bf2bf8d94f7c7b01b729303a770c83162,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,89,89,1,952,"A financial penalty of $9,000 was imposed on COURTS for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure on its website. Some members were able to gain access to personal data of another member via a link in an email sent by COURTS.","[""Protection"", ""Financial Penalty"", ""Wholesale and Retail Trade"", ""Inadequate scoping of testing"", ""EDM"", ""Incorrect Setting""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---COURTS-Singapore---140820.pdf,Protection,Breach of the Protection Obligation by COURTS,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-courts,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 17 Case No DP-1909-B4731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And COURTS (Singapore) Pte Ltd. … Organisation DECISION COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 Lew Chuen Hong, Commissioner — Case No DP-1909-B4731 14 August 2020 Introduction 1 On 6 September 2019, COURTS (Singapore) Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that an individual in its membership programme who had received an Electronic Direct Mail (“eDM”) from the Organisation, was able to access, without authentication, data in another individual’s account after clicking on a link (the “New eDM Link”) in the eDM (the “Incident”). Facts of the Case 2 The Organisation is a well-known consumer electronics and furniture retailer, with a number of stores in Singapore. Its membership programme, known as “homeclub by COURTS” (“Homeclub”) gives its members (“Members”) exclusive access to, among other things, events and discounts. The Organisation regularly sends eDMs to Members with links to specific products on the Organisation’s website (the “Website”). COURTS (Singapore) Pte Ltd 3 [2020] SGPDPC 17 The Organisation used a platform called Salesforce to create and send eDMs (the “Platform”) and the Website ran on the Magento system1 (the “System”), an e-commerce platform. The System generated a dynamic session identifier (“SID”) for each login to Homeclub on the Website. This SID would be used for all subsequent activities within the session. 4 On 31 August 2019, the Organisation sent an eDM to 76,844 Members (the “Affected Members”). This eDM, included for the first time, the New eDM Link, which was meant to direct Members to the Homeclub login page. The purpose of the New eDM Link was for Members to log in to their respective Homeclub accounts to update their membership identifier – Members were required to provide their mobile numbers to replace NRIC numbers that were previously used as the membership identifier. 5 The New eDM Link did not operate as intended, resulting in the Incident. The Commission’s investigations revealed the following: (a) Notwithstanding that the eDM sent on 31 August 2019 included for the first time the New eDM Link, the Organisation continued to use the System in its default setting. The default setting comprised (i) the SID embedded in the URL of the New eDM Link;2 and (ii) cookie settings to be refreshed after 60 minutes. (b) The default setting had not caused any issues when it was used by the Organisation to send marketing eDMs with eDM links directing Members to specific products on the Website. As Members were not 1 The Organisation acquired a license to operate the System from 6 March 2017. 2 This was due to the default setting “Use SID on Storefront” being set to “Yes” 2 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 required to log in to their accounts in order to view the specific products, the SID embedded in the URL and cookie settings did not affect the functioning of the Website. (c) However, the default setting should not have been used for the New eDM Link – it led to the System assuming that every use of the New eDM Link within 60 minutes of a Member’s login was part of the same session. This meant that: (i) If Member X clicks on the New eDM Link and logs into his Homeclub account without logging out within 60 minutes, all other Members who subsequently clicked on the New eDM Link within 60 minutes of Member X’s login would automatically be directed to Member X’s account, without having to authenticate their credentials; and (ii) If Member X logged out while other Members were still logged into Member X’s account, the other Members would only be logged out of Member X’s account if they refreshed a page or navigated to other pages within Member X’s account. 6 According to the Organisation, 128 of the Affected Members clicked on the New eDM Link between approximately 8am on 31 August 2019 and 12.25am on 1 September 2019.3 The Incident led to the risk of unauthorised access and modification of personal data in the Affected Members’ respective Homeclub accounts. In this regard, each Member’s Homeclub account 3 The eDM containing the New eDM Link was sent to Members at approximately 8am on 31 August 2019. The Organisation rectified the error causing the Incident at approximately 12.25am on 1 September 2019. 3 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 comprised (i) account information; and (ii) address book, which collectively contained the following data (“Personal Data Set”): (a) Name; (b) Email address: (c) Mobile Number; (d) Date of Birth (“DOB”); (e) Address; (f) Password; and (g) Transactional information i.e. products previously purchased by a Member. 7 In addition to unauthorised access, the following types of personal data in the Affected Members’ Personal Data Sets were at risk of unauthorised modification as a result of the Incident: (a) The Affected Member’s name, DOB, mobile number and residential address from his/her account information; and (b) The Affected Member’s name, mobile number and residential address from his/her address book. 8 The risk of unauthorised modification in [7(a)] and [7(b)] was possible because password verification was not required to make these changes. Conversely, an Affected Members’ username (which was his/her email address) and password could not be modified without password verification. An Affected Member’s Personal Data Sets also could not be downloaded by another Member 4 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 who had accessed his/her account because there was no download function on the Website. 9 There was no risk of financial loss to Affected Members through the Incident. While it was possible for another Member (who was given access to Member X’s account) to make a purchase through Member X’s account, he/she would have to provide credit card details to complete the purchase. This was because financial information (i.e. credit card details) was not stored in the System, and there was no reward system in Homeclub for the redemption of products or benefits. 10 Based on the Organisation’s investigations into the Incident, there was no evidence of any unauthorised modification to the Affected Members’ Personal Data Sets. Other than the Affected Member who had notified the Organisation of the Incident, the Organisation did not receive any further complaints or feedback. 11 Upon being notified of the Incident on the same day, the Organisation promptly took the following remedial actions: (a) Fixed the error that caused the Incident at approximately 12:25am on 1 September 2019 by changing the setting for “Use SID on Storefront” to “No”; (b) Implemented password verification for any changes to Members’ account information and address book;4 4 This came into effect on 6 January 2020. 5 COURTS (Singapore) Pte Ltd (c) [2020] SGPDPC 17 Put in place a standard operating procedure (“SOP”) to ensure correct link insertion into eDMs to protect personal data. For eDM links that are supposed to lead to a login page, checks will be conducted to ensure that there will be multiple concurrent user testing; (d) Took steps to engage an external vendor to work on security matters (including data protection security), and disseminate this information to its employees; and (e) Emailed the 128 Affected Members who had clicked on the New eDM Link to inform them of the Incident. The Commissioner’s Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 12 Section 24 of the PDPA provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). It is not disputed that the Organisation had possession and control of the Personal Data Sets at the material time. The Commission’s investigations revealed that the Organisation failed to put in place reasonable security arrangements to protect the Personal Data Sets for the reasons explained below. 13 First, the Organisation failed to conduct adequate testing before implementation. As mentioned at [4], this was the first time the Organisation included in its eDM, the New eDM Link to direct Members to the Homeclub login page. There was only 1 employee in the Organisation’s digital marketing team that was in charge of creating the New eDM Link and testing it prior to its 6 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 launch. The employee conducted a limited test of sending the eDM containing the New eDM Link to himself – the New eDM Link operated as intended, directing the employee to the Homeclub login page. This limited test was clearly inadequate. As emphasized in the Commission’s previous decisions, an organisation should ensure that testing scenarios are properly scoped. In particular, pre-launch testing of processes or systems needs to mimic expected real world usage, including foreseeable scenarios in a normal operating environment when the changes are introduced.5 In the present case, the Organisation intended to send the eDM to a very large number of Members. It is therefore foreseeable that testing scenarios should include multiple sequential logins or even concurrent logins to the Homeclub login page at peak usage. If the Organisation had tested the New eDM Link to approximate this real world scenario, the Incident would have likely come to light at that stage. 14 Second, the Organisation failed to assess the appropriateness of the default settings in the System for the New eDM Link. (a) The Organisation used the default setting in the System for the New eDM Link without any assessment on its implications. As mentioned in the Commission’s Guide to Securing Personal Data in Electronic Medium at [17.5] and previous decisions,6 when using readymade software, organisations are required to obtain a clear understanding of the intended purpose of the software, how the software 5 See Re Option Gift Pte Ltd [2019] SGPCPC 10 at [15]; Re AIA Singapore Pte Limited [2019] SGPDPC 20 at [15] and L’Oreal Singapore Pte. Ltd. Case No. DP 1812-B3091, Summary of the Decision at [3] 6 See for example Re DS Human Resource Pte Ltd [2019] SGPDPC 16 at [9] 7 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 functions and how to configure the software correctly. The Organisation failed to do so in the present case; (b) There was an option in the Platform to automatically generate eDM links without any SID in the URL. The Organisation did not fully appreciate the differences in using this option to create links that are embedded within an eDM, as compared with the effects of embedding SIDs as part of the URL for the New eDM Link. Due to the lack of understanding the differences between these out-of-the-box features of the commercial off-the-shelf product that he was using, the employee in charge of creating the New eDM Link was not aware that the appropriate method was to use the option in the Platform that generated eDM links without SID in the URL. Instead, the employee manually copied the New eDM Link (which contained the SID) from the internet browser for insertion into the eDM; and (c) While the Organisation had in place a process for a second-level check on the content and layout of the eDM, the nature of this type of checks would not have been effective in picking up the more technical issues relating to embedded SID in the New eDM Link. Understanding fully the features of the commercial off-the-shelf product in use and properly scoping the testing scenarios during user acceptance testing would have been the more appropriate and effective way to avoid and catch such errors. 15 For the reasons above, the Commissioner found the Organisation in breach of section 24 of the PDPA. 8 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 Representations by the Organisation 16 In the course of settling this decision, the Organisation made representations on the amount of financial penalty that the Commissioner intended to impose. The Organisation raised the following factors for the Commissioner’s consideration: (a) The Organisation takes a serious view of its obligations under the PDPA, and has taken the necessary remedial actions to prevent future data protection incidents from occurring. Personal data protection remains a priority for the Organisation even during these uncertain and turbulent times amidst the COVID-19 pandemic; and (b) The COVID-19 pandemic has had an adverse impact on the business of the Organisation, resulting in a significant loss of revenue. Specifically, due to “circuit breaker” measures imposed by the government, the Organisation closed all 14 of its retail outlets in Singapore from 7 April 2020 to 19 June 2020. Further, its operating overheads remained largely unchanged as labour accounted for significant portion of its costs, and the Organisation has maintained a commitment to retaining employees so as to protect their livelihoods. Even with the recent reopening of its physical stores, the Organisation continues to have a negative outlook of its business due to the impact of COVID-19 on the economy and a challenging retail landscape. 17 Having carefully considered the representations, the Commissioner has decided to reduce the financial penalty to the amount set out at [19]. The quantum of financial penalty has been calibrated after due consideration of the Organisation’s financial circumstances due to the unprecedented challenges faced by businesses amid the current Covid-19 pandemic, bearing in mind that 9 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 financial penalties imposed should not be crushing or cause undue hardship on organisations. Although a lower financial penalty has been imposed in this case, the quantum of financial penalty should be treated as exceptional and should not be taken as setting any precedent for future cases. The Commissioner’s Directions 18 In determining the directions, if any, to be imposed on the Organisation under Section 29 of the PDPA, the Commissioner took into account as an aggravating factor that this is the second time the Organisation has been found in breach of the Protection Obligation.7 The Commissioner also took into account the following mitigating factors: (a) The Organisation cooperated with the investigations and provided prompt responses to the Commission’s requests for information; (b) The Organisation implemented remedial actions swiftly to address the Incident; and (c) The Members’ Personal Data Sets was exposed to the risk of unauthorised access and/or modification for a limited period of less than one day. 19 Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to pay a financial penalty of S$9,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts, shall accrue and be payable 7 See Re Courts (Singapore) Pte Ltd [2019] SGPDPC 4 10 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 on the outstanding amount of the financial penalty until it is paid in full. The Commissioner has not set out any further directions given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Financial Penalty,7b84d1c0b092675d5ee94570a80a3de93072541d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"