_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,89,89,1,952,"A financial penalty of $9,000 was imposed on COURTS for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure on its website. Some members were able to gain access to personal data of another member via a link in an email sent by COURTS.","[""Protection"", ""Financial Penalty"", ""Wholesale and Retail Trade"", ""Inadequate scoping of testing"", ""EDM"", ""Incorrect Setting""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---COURTS-Singapore---140820.pdf,Protection,Breach of the Protection Obligation by COURTS,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-courts,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 17 Case No DP-1909-B4731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And COURTS (Singapore) Pte Ltd. … Organisation DECISION COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 Lew Chuen Hong, Commissioner — Case No DP-1909-B4731 14 August 2020 Introduction 1 On 6 September 2019, COURTS (Singapore) Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that an individual in its membership programme who had received an Electronic Direct Mail (“eDM”) from the Organisation, was able to access, without authentication, data in another individual’s account after clicking on a link (the “New eDM Link”) in the eDM (the “Incident”). Facts of the Case 2 The Organisation is a well-known consumer electronics and furniture retailer, with a number of stores in Singapore. Its membership programme, known as “homeclub by COURTS” (“Homeclub”) gives its members (“Members”) exclusive access to, among other things, events and discounts. The Organisation regularly sends eDMs to Members with links to specific products on the Organisation’s website (the “Website”). COURTS (Singapore) Pte Ltd 3 [2020] SGPDPC 17 The Organisation used a platform called Salesforce to create and send eDMs (the “Platform”) and the Website ran on the Magento system1 (the “System”), an e-commerce platform. The System generated a dynamic session identifier (“SID”) for each login to Homeclub on the Website. This SID would be used for all subsequent activities within the session. 4 On 31 August 2019, the Organisation sent an eDM to 76,844 Members (the “Affected Members”). This eDM, included for the first time, the New eDM Link, which was meant to direct Members to the Homeclub login page. The purpose of the New eDM Link was for Members to log in to their respective Homeclub accounts to update their membership identifier – Members were required to provide their mobile numbers to replace NRIC numbers that were previously used as the membership identifier. 5 The New eDM Link did not operate as intended, resulting in the Incident. The Commission’s investigations revealed the following: (a) Notwithstanding that the eDM sent on 31 August 2019 included for the first time the New eDM Link, the Organisation continued to use the System in its default setting. The default setting comprised (i) the SID embedded in the URL of the New eDM Link;2 and (ii) cookie settings to be refreshed after 60 minutes. (b) The default setting had not caused any issues when it was used by the Organisation to send marketing eDMs with eDM links directing Members to specific products on the Website. As Members were not 1 The Organisation acquired a license to operate the System from 6 March 2017. 2 This was due to the default setting “Use SID on Storefront” being set to “Yes” 2 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 required to log in to their accounts in order to view the specific products, the SID embedded in the URL and cookie settings did not affect the functioning of the Website. (c) However, the default setting should not have been used for the New eDM Link – it led to the System assuming that every use of the New eDM Link within 60 minutes of a Member’s login was part of the same session. This meant that: (i) If Member X clicks on the New eDM Link and logs into his Homeclub account without logging out within 60 minutes, all other Members who subsequently clicked on the New eDM Link within 60 minutes of Member X’s login would automatically be directed to Member X’s account, without having to authenticate their credentials; and (ii) If Member X logged out while other Members were still logged into Member X’s account, the other Members would only be logged out of Member X’s account if they refreshed a page or navigated to other pages within Member X’s account. 6 According to the Organisation, 128 of the Affected Members clicked on the New eDM Link between approximately 8am on 31 August 2019 and 12.25am on 1 September 2019.3 The Incident led to the risk of unauthorised access and modification of personal data in the Affected Members’ respective Homeclub accounts. In this regard, each Member’s Homeclub account 3 The eDM containing the New eDM Link was sent to Members at approximately 8am on 31 August 2019. The Organisation rectified the error causing the Incident at approximately 12.25am on 1 September 2019. 3 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 comprised (i) account information; and (ii) address book, which collectively contained the following data (“Personal Data Set”): (a) Name; (b) Email address: (c) Mobile Number; (d) Date of Birth (“DOB”); (e) Address; (f) Password; and (g) Transactional information i.e. products previously purchased by a Member. 7 In addition to unauthorised access, the following types of personal data in the Affected Members’ Personal Data Sets were at risk of unauthorised modification as a result of the Incident: (a) The Affected Member’s name, DOB, mobile number and residential address from his/her account information; and (b) The Affected Member’s name, mobile number and residential address from his/her address book. 8 The risk of unauthorised modification in [7(a)] and [7(b)] was possible because password verification was not required to make these changes. Conversely, an Affected Members’ username (which was his/her email address) and password could not be modified without password verification. An Affected Member’s Personal Data Sets also could not be downloaded by another Member 4 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 who had accessed his/her account because there was no download function on the Website. 9 There was no risk of financial loss to Affected Members through the Incident. While it was possible for another Member (who was given access to Member X’s account) to make a purchase through Member X’s account, he/she would have to provide credit card details to complete the purchase. This was because financial information (i.e. credit card details) was not stored in the System, and there was no reward system in Homeclub for the redemption of products or benefits. 10 Based on the Organisation’s investigations into the Incident, there was no evidence of any unauthorised modification to the Affected Members’ Personal Data Sets. Other than the Affected Member who had notified the Organisation of the Incident, the Organisation did not receive any further complaints or feedback. 11 Upon being notified of the Incident on the same day, the Organisation promptly took the following remedial actions: (a) Fixed the error that caused the Incident at approximately 12:25am on 1 September 2019 by changing the setting for “Use SID on Storefront” to “No”; (b) Implemented password verification for any changes to Members’ account information and address book;4 4 This came into effect on 6 January 2020. 5 COURTS (Singapore) Pte Ltd (c) [2020] SGPDPC 17 Put in place a standard operating procedure (“SOP”) to ensure correct link insertion into eDMs to protect personal data. For eDM links that are supposed to lead to a login page, checks will be conducted to ensure that there will be multiple concurrent user testing; (d) Took steps to engage an external vendor to work on security matters (including data protection security), and disseminate this information to its employees; and (e) Emailed the 128 Affected Members who had clicked on the New eDM Link to inform them of the Incident. The Commissioner’s Findings and Basis for Determination Whether the Organisation had contravened section 24 of the PDPA 12 Section 24 of the PDPA provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). It is not disputed that the Organisation had possession and control of the Personal Data Sets at the material time. The Commission’s investigations revealed that the Organisation failed to put in place reasonable security arrangements to protect the Personal Data Sets for the reasons explained below. 13 First, the Organisation failed to conduct adequate testing before implementation. As mentioned at [4], this was the first time the Organisation included in its eDM, the New eDM Link to direct Members to the Homeclub login page. There was only 1 employee in the Organisation’s digital marketing team that was in charge of creating the New eDM Link and testing it prior to its 6 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 launch. The employee conducted a limited test of sending the eDM containing the New eDM Link to himself – the New eDM Link operated as intended, directing the employee to the Homeclub login page. This limited test was clearly inadequate. As emphasized in the Commission’s previous decisions, an organisation should ensure that testing scenarios are properly scoped. In particular, pre-launch testing of processes or systems needs to mimic expected real world usage, including foreseeable scenarios in a normal operating environment when the changes are introduced.5 In the present case, the Organisation intended to send the eDM to a very large number of Members. It is therefore foreseeable that testing scenarios should include multiple sequential logins or even concurrent logins to the Homeclub login page at peak usage. If the Organisation had tested the New eDM Link to approximate this real world scenario, the Incident would have likely come to light at that stage. 14 Second, the Organisation failed to assess the appropriateness of the default settings in the System for the New eDM Link. (a) The Organisation used the default setting in the System for the New eDM Link without any assessment on its implications. As mentioned in the Commission’s Guide to Securing Personal Data in Electronic Medium at [17.5] and previous decisions,6 when using readymade software, organisations are required to obtain a clear understanding of the intended purpose of the software, how the software 5 See Re Option Gift Pte Ltd [2019] SGPCPC 10 at [15]; Re AIA Singapore Pte Limited [2019] SGPDPC 20 at [15] and L’Oreal Singapore Pte. Ltd. Case No. DP 1812-B3091, Summary of the Decision at [3] 6 See for example Re DS Human Resource Pte Ltd [2019] SGPDPC 16 at [9] 7 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 functions and how to configure the software correctly. The Organisation failed to do so in the present case; (b) There was an option in the Platform to automatically generate eDM links without any SID in the URL. The Organisation did not fully appreciate the differences in using this option to create links that are embedded within an eDM, as compared with the effects of embedding SIDs as part of the URL for the New eDM Link. Due to the lack of understanding the differences between these out-of-the-box features of the commercial off-the-shelf product that he was using, the employee in charge of creating the New eDM Link was not aware that the appropriate method was to use the option in the Platform that generated eDM links without SID in the URL. Instead, the employee manually copied the New eDM Link (which contained the SID) from the internet browser for insertion into the eDM; and (c) While the Organisation had in place a process for a second-level check on the content and layout of the eDM, the nature of this type of checks would not have been effective in picking up the more technical issues relating to embedded SID in the New eDM Link. Understanding fully the features of the commercial off-the-shelf product in use and properly scoping the testing scenarios during user acceptance testing would have been the more appropriate and effective way to avoid and catch such errors. 15 For the reasons above, the Commissioner found the Organisation in breach of section 24 of the PDPA. 8 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 Representations by the Organisation 16 In the course of settling this decision, the Organisation made representations on the amount of financial penalty that the Commissioner intended to impose. The Organisation raised the following factors for the Commissioner’s consideration: (a) The Organisation takes a serious view of its obligations under the PDPA, and has taken the necessary remedial actions to prevent future data protection incidents from occurring. Personal data protection remains a priority for the Organisation even during these uncertain and turbulent times amidst the COVID-19 pandemic; and (b) The COVID-19 pandemic has had an adverse impact on the business of the Organisation, resulting in a significant loss of revenue. Specifically, due to “circuit breaker” measures imposed by the government, the Organisation closed all 14 of its retail outlets in Singapore from 7 April 2020 to 19 June 2020. Further, its operating overheads remained largely unchanged as labour accounted for significant portion of its costs, and the Organisation has maintained a commitment to retaining employees so as to protect their livelihoods. Even with the recent reopening of its physical stores, the Organisation continues to have a negative outlook of its business due to the impact of COVID-19 on the economy and a challenging retail landscape. 17 Having carefully considered the representations, the Commissioner has decided to reduce the financial penalty to the amount set out at [19]. The quantum of financial penalty has been calibrated after due consideration of the Organisation’s financial circumstances due to the unprecedented challenges faced by businesses amid the current Covid-19 pandemic, bearing in mind that 9 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 financial penalties imposed should not be crushing or cause undue hardship on organisations. Although a lower financial penalty has been imposed in this case, the quantum of financial penalty should be treated as exceptional and should not be taken as setting any precedent for future cases. The Commissioner’s Directions 18 In determining the directions, if any, to be imposed on the Organisation under Section 29 of the PDPA, the Commissioner took into account as an aggravating factor that this is the second time the Organisation has been found in breach of the Protection Obligation.7 The Commissioner also took into account the following mitigating factors: (a) The Organisation cooperated with the investigations and provided prompt responses to the Commission’s requests for information; (b) The Organisation implemented remedial actions swiftly to address the Incident; and (c) The Members’ Personal Data Sets was exposed to the risk of unauthorised access and/or modification for a limited period of less than one day. 19 Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to pay a financial penalty of S$9,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts, shall accrue and be payable 7 See Re Courts (Singapore) Pte Ltd [2019] SGPDPC 4 10 COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 on the outstanding amount of the financial penalty until it is paid in full. The Commissioner has not set out any further directions given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Financial Penalty,7b84d1c0b092675d5ee94570a80a3de93072541d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,167,167,1,952,"A financial penalty of $15,000 was imposed on COURTS for failing to put in place reasonable security arrangements to protect the personal data of its customers from unauthorised disclosure on its online portal.","[""Protection"", ""Financial Penalty"", ""Wholesale and Retail Trade"", ""Furniture"", ""Electronics""]",2019-01-22,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---COURTS---220119.pdf,Protection,Breach of the Protection Obligation by COURTS,https://www.pdpc.gov.sg/all-commissions-decisions/2019/01/breach-of-the-protection-obligation-by-courts,2019-01-22,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 4 Case No DP-1707-B0917 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And COURTS (Singapore) Pte Ltd … Organisation DECISION COURTS (Singapore) Pte. Ltd. COURTS (Singapore) Pte Ltd [2019] SGPDPC 4 Tan Kiat How, Commissioner — Case No DP-1707-B0917 22 January 2019 Background 1 On 9 July 2017, the Personal Data Protection Commission (the “Commission”) received a complaint from a customer (“Complainant”) of COURTS (Singapore) Pte Ltd (“COURTS”) stating that the http://www.courts.com.sg website (“Website”) was “unsafe for customers”. The Complainant discovered that by entering his name and e-mail address on COURTS’ Guest Login (“Guest Login Page”) for the purpose of making a purchase, the Website would automatically open another webpage (“Guest Checkout Page”) disclosing the Complainant’s contact number and address (the “Incident”). 2 Following an investigation into the matter, the Commissioner found COURTS in breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 3 The Website is owned and managed by COURTS, a leading consumer electronics and furniture retailer in Singapore with a network of 80 stores nationwide. Ebee Global Solutions Pvt Ltd (“Ebee”) was an IT vendor engaged by COURTS to develop and maintain the Guest Login Page and Guest Checkout Page (“Guest Checkout System”) that was part of the Website. At the material 2 COURTS (Singapore) Pte. Ltd. time, the process flow when a customer wished to make a purchase through the Guest Login Page was as follows: (a) The customer accesses the Website and selects an item to “Add to cart” before selecting “Proceed to checkout”; (b) The customer may choose to log into his COURTS’ HomeClub account or he may choose to “Checkout as guest user”; (c) If the customer chooses to check out as a guest user, he enters his name and email address and selects “Login as guest”; and (d) Assuming that the customer has previously made a purchase through the Website using the same email address, the customer’s contact number and residential address (collectively, the “Personal Data Set”) will be displayed on the Guest Checkout Page. 4 Investigations revealed that in relation to (c) above, the Personal Data Set would be displayed upon an exact match with the Email Address the customer had used previously even if the name entered does not match the name the customer used initially. In the circumstances, the customer’s email address was the sole login credential as the “Name” field did not serve any security purpose; access to the Guest Checkout System was not conditional on linking the input entered into the “Name” field with the customer’s email address. 5 The Guest Checkout System was launched on 21 April 2014. Data collected from the Guest Checkout System was stored in COURTS’ database hosted on the Amazon Web Services server (“AWS Server”). The database contained customers’ email addresses, contact numbers and residential addresses. 3 COURTS (Singapore) Pte. Ltd. 6 As at 9 July 2017, COURTS confirmed that a total of 14,104 Personal Data Sets were stored in COURTS’ database hosted on the AWS Server. The Personal Data Sets belonged to either COURTS’ HomeClub customers or to customers who had made a purchase using the Guest Checkout System since 21 April 2014. 7 COURTS took the following remedial actions after it was notified of the Incident: (a) On 30 August 2017, COURTS launched a new Website with a new Guest Checkout System in place. No data is stored for future use during the new guest checkout process. Customers using the new Guest Checkout System are required to key in their personal data each time a purchase is made. The Guest Checkout Page would not populate the Personal Data Set even if the same customer had previously made a purchase. (b) On 30 September 2017, COURTS’ database containing the Personal Data Sets hosted on the AWS Server was decommissioned; (c) COURTS engaged a PDPA consultant to conduct PDPA trainings for its support centre and operation groups, and scheduled a full audit on COURTS’ processes; and (d) COURTS put in place additional security measures, such as adopting a policy for penetration tests to be performed at least once every 6 months on the new Website. 4 COURTS (Singapore) Pte. Ltd. The Commissioner’s Findings and Basis for Determination 8 It is not disputed that the Personal Data Set is “personal data” as defined in section 2(1) of the PDPA. There is also no dispute that the PDPA applies to COURTS as it falls within PDPA’s definition of “organisation”. The issue to be determined by the Commissioner in this case is whether COURTS had complied with its obligations under section 24 of the PDPA. Whether COURTS complied with its obligations under section 24 of the PDPA 9 Section 24 of the PDPA provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. It is not disputed that COURTS had possession and/or control of the Personal Data Sets stored in COURTS’ database, and hosted on the AWS Server. In this regard, COURTS confirmed that Ebee did not have the login credentials to COURTS’ database. Its arrangement with Ebee was in the nature of a software development relationship. While the scope of the contract with Ebee covered the maintenance of the Guest Checkout System, in reality, maintenance was not carried out. COURTS did not engage Ebee to operate the database or perform any form of processing activities on the Personal Data Sets and as such, Ebee was not a data intermediary. 10 The investigations found that COURTS failed to put in place reasonable security arrangements to protect the Personal Data Sets for the following reasons: (a) Email addresses are readily shared by individuals and searchable on various public platforms. The use of an email address as the sole login 5 COURTS (Singapore) Pte. Ltd. credential on the Guest Login Page resulting in disclosure of the Personal Data Set on the Guest Checkout Page fell short of the standard of protection required to prevent unauthorised access. As has been held in Re ABR Holdings Ltd [2016] SGPDPC 16, it is not acceptable to use commonly used identifiers to retrieve personal data. The intention to make the user experience smooth for returning guest shoppers without a HomeClub account was laudable but quite unacceptable as it poses a risk to customers. The entry of an email address was sufficient to retrieve the associated contact number and address that had been stored in the database. This amounted to a failure to protect personal data of returning customers that falls below the standard expected under the PDPA. (b) There was a glaring failure by COURTS to adequately consider data protection with respect to the Guest Checkout System of the Website. Although the Website and Guest Checkout Page were launched before the PDPA came into force, COURTS failed to review their system design or process flow, or implement any internal security policies in relation to data protection for the Website after the PDPA came into force for the purpose of ensuring compliance. Additionally, (i) No penetration tests were conducted since the launch of the Website and the Guest Checkout Page on 21 April 2014; (ii) No security scans were performed on the Website for a period of 12 months prior to the Incident; and (iii) No maintenance of the Guest Checkout System had been carried out since its launch on 21 April 2014. 6 COURTS (Singapore) Pte. Ltd. 11 COURTS represented that it had scheduled training programmes in place for all employees with respect to data protection obligations under the PDPA. (a) New employees are required to go through tailored PDPA training specific to their job scopes during on-boarding; and (b) PDPA refresher training is conducted for all employees, with the most recent one being in February 2017. 12 While data protection training has an impact on the proper implementation of an organisation’s data protection policies and practices, these training measures are ineffective to deal with the system design and process flow deficiencies in the Website and cannot therefore amount to sufficient security arrangement to protect against the unauthorised disclosure of the Personal Data Sets. Admittedly, COURTS conceded that the disclosure of the Personal Data Set on the Guest Checkout Page once an email address matched an existing customers’ record in COURTS’ database was “…an oversight on a design flaw that we were serving data unauthenticated”. It is inexcusable for an established organisation like COURTS to neglect its obligations to put in place reasonable security arrangements to protect the Personal Data Sets. This resulted in the Personal Data Sets being exposed to risk of unauthorised disclosure for more than 3 years1. 13 For the reasons above, the Commissioner finds COURTS in breach of section 24 of the PDPA. 1 21 April 2014 to 30 August 2017. 7 COURTS (Singapore) Pte. Ltd. The Commissioner’s Directions 14 Given the Commissioner’s findings that COURTS is in breach of section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue COURTS such directions as it deems fit to ensure compliance with the PDPA. This may include directing COURTS to pay a financial penalty of such amount not exceeding S$1 million. 15 In assessing the breach and determining the directions, if any, to be imposed on COURTS in this case, the Commissioner took into account the following aggravating factors: (a) Given that email addresses are widely shared, use of an email address as the sole login credential to protect against unauthorised disclosure of the Personal Data Set was clearly not a reasonable security arrangement; (b) COURTS subjected the Personal Data Sets to risk of unauthorised disclosure for a substantial period of about 3 years; and (c) COURTS displayed a lack of urgency and absence of initiative to obtain information in relation to the Incident. 16 The Commissioner also took into account the following mitigating factors: (a) There was limited risk of unauthorised disclosure because the Personal Data Set would only be disclosed upon entry of a matching email address used by COURTS’ HomeClub customers or previous customers who had made a purchase through the Guest Check Out System; 8 COURTS (Singapore) Pte. Ltd. (b) There was no evidence to suggest any actual loss or damage resulting from the Incident; and (c) COURTS effected remedial actions upon being informed to implement measures to prevent recurrences of the Incident and to increase employee’s awareness of the PDPA. 17 Having considered all the relevant factors of this case, the Commissioner hereby directs COURTS to pay a financial penalty of S$15,000.00 within 30 days from the date of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court2 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 2 Cap 322, R5, 2014 Rev Ed. 9 ",Financial Penalty,b832b96d16d0455426470e4f2e0d82e73a0c345a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"