pdpc_decisions_version_detail (view)
5 rows where "date" is on date 2020-09-10
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 90 | 90 | 1 | 952 | A warning was issued to the Singapore Medical Association for failing to put in place reasonable security arrangements to prevent the unauthorised access of 68 individuals’ personal data which were forwarded to an external email address without authorisation. | [
"Protection",
"Warning",
"General (eg. Chamber of Commerce)",
"Email forwarding",
"Password policy"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Medical-Association---21072020.pdf | Protection | Breach of the Protection Obligation by Singapore Medical Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/breach-of-the-protection-obligation-by-singapore-medical-association | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2001- B5770 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Medical Association SUMMARY OF THE DECISION 1. On 31 January 2020, Singapore Medical Association (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that the personal data of 68 individuals in 137 emails had been forwarded to an external email address without authorisation between 28 and 30 January 2020. The personal data comprised National Registration Identification Card numbers, dates of birth, indemnity coverage, period of coverage, educational information and financial transaction information. 2. The Organisation believed an unauthorised user (“UU”) gained entry into the affected Microsoft Office 365 email account by a brute force attack but did not have the system logs to confirm this. Regardless, the unauthorised entry enabled the UU to create an email rule to forward received emails to the external email address. 3. It was found that the Organisation failed to conduct periodic security reviews of its IT system. Consequently, it missed the opportunity to detect the following security issues that could have prevented the incident: a. There was no periodic change to the passwords of email accounts. As an example, the password to the affected account had not been changed since first use in November 2013. b. The Organisation collected financial information such as bank account details and swift codes and should have considered, as part of a security review, whether it needed to enhance security measures. For example, encryption of emails and/or attachments containing such sensitive personal data. c. A reasonable security review would also have noted the absence of security arrangements against brute force attacks. Common examples of anti-brute force measures include limiting the number of failed login attempts and account lockouts. Without anti-brute force measures, a password-protected account … | Warning | 6c2d54a99a7623a26140ad101ee1ad4d4c2a792d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 91 | 91 | 1 | 952 | A financial penalty of $20,000 was imposed on Civil Service Club for failing to put in place reasonable security arrangements to protect its members’ personal data. A web directory containing members’ profile photographs and their respective NRIC/FIN numbers was found to be publicly accessible. | [
"Protection",
"Financial Penalty",
"Arts, Entertainment and Recreation",
"Access control",
"Public access"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Civil-Service-Club-01042020.pdf | Protection | Breach of the Protection Obligation by Civil Service Club | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/breach-of-the-protection-obligation-by-civil-service-club | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 15 Case No DP-1907-B4180 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Civil Service Club … Organisation DECISION Civil Service Club [2020] SGPDPC 15 Tan Kiat How, Commissioner — Case No DP-1907-B4180 1 April 2020 Introduction 1 On 2 July 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from a member (the “Complainant”) of the Civil Service Club (the “Organisation”). According to the Complainant, when he accessed his virtual membership card (the “Virtual Card”) through the Organisation’s membership web portal on the same day – “https://gateway.csc.sg” (the “Membership Portal”), he discovered that he was able to access a web directory – “https://gateway.csc.sg/webclub/facilities/tmp” (the “Directory”). The Directory contained profile photographs of other members (and their respective NRIC/FIN numbers which were used as file names for their profile photographs), including the Complainant’s (the “Incident”). Facts of the Case 2 The Organisation is a social club for all Public Service officers in Singapore, and also welcomes staff of Social Service Organisations and the general public to join as associate members. Membership benefits include booking of sports facilities, functions rooms and chalets, as well as members’ rates for club events and recreational activities. Civil Service Club 3 [2020] SGPDPC 15 In October 2009, the Organisation engaged the services of an IT vendor (the “Vendor”) to develop its Club Management System (“CMS”). The Vendor’s scope of work was set out in a contract entered into between the parties in November 2009 (the “Contract”). The Organisation launched the CMS, including the Membership Portal, in stages. On 1 March 2019, the Organisation launched the Virtual Card on the Membership Portal, and members’ NRIC/FIN numbers were used as file names for members’ profile photographs. 4 The Organisation has 2 separate servers hosted in… | Financial Penalty | f0321512ea7fdd1c3b0f5d62f673deb9411f9019 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 92 | 92 | 1 | 952 | A financial penalty of $10,000 was imposed and a direction was issued to Grabcar for failing to put in place reasonable security arrangements to prevent the unauthorised access of GrabHitch drivers’ and passengers’ personal data via its mobile application. | [
"Protection",
"Financial Penalty",
"Directions",
"Transport and Storage",
"Mobile application",
"Code review"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Grabcar-Pte-Ltd---24072020.pdf | Protection | Breach of the Protection Obligation by Grabcar | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/breach-of-the-protection-obligation-by-grabcar | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 14 Case No. DP-1909-B4675 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte Ltd … Organisation DECISION Grabcar Pte Ltd [2020] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1909-B4675 21 July 2020 Introduction 1 Grabcar Pte Ltd (the “Organisation”) is a Singapore-based company offering ride-hailing transport services, food delivery and digital payment solutions through its mobile application (the “Grab App”). The Grab App also provides a carpooling option referred to as “GrabHitch”. GrabHitch matches a passenger with a driver willing to give a lift to the passenger (on the way to the driver’s destination) in return for a fee. On 30 August 2019, the Organisation notified the Personal Data Protection Commission (the “Commission”) that, for a short period of time on the same day, profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorised access by other GrabHitch drivers through the Grab App (the “Incident”). Facts of the Case 2 The Organisation’s investigations traced the cause of the Incident to the deployment of an update to the Grab App on 30 August 2019 (the “ Update”). The purpose of the Update was to address a potential vulnerability discovered within the Grab App, namely, the application programming interface (“API”) endpoint (/users/{userID}/profile) (the “URL”) that had allowed GrabHitch Grabcar Pte Ltd [2020] SGPDPC 14 drivers to access their data, contained a ‘userID’ that could potentially be manipulated to allow access to other GrabHitch driver’s data.1 3 In order to fix the vulnerability, the Update removed the variable ‘userID’ from the URL which shortened it to a hard-coded ‘/users/profile’. However, the Update failed to take into account the URL-based caching mechanism in the Grab App. This caching mechanism (which was configured to refresh every 10 seconds) served cached content in response to data requests to reduce the load of direct a… | Financial Penalty, Directions | eb17aef1e75850888d8ec821aa37aebe142109b2 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 93 | 93 | 1 | 952 | Singtel was found not in breach for failing to make reasonable security arrangements to prevent the unauthorised access of its customers’ personal data via the mySingtel mobile application. | [
"Not in Breach",
"Others",
"No breach",
"Mobile application",
"Singtel"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Telecommunications-Limited---05082020.pdf | No Breach of the Protection Obligation by Singtel | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/no-breach-of-the-protection-obligation-by-singtel | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 13 Case No. DP-1904-B3731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited … Organisation DECISION Singapore Telecommunications Limited [2020] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1904-B3731 5 August 2020 Introduction 1 On 28 March 2019, Singapore Telecommunications Limited (the “Organisation”) was notified by a customer of an issue with its MySingtel mobile application (the “Mobile App”) – customers were able to view on the Mobile App their previously assigned service numbers 1 (the “Recycled Numbers”) and the related usage information of other customers who were the current users of the Recycled Numbers (the “Incident”). The Organisation notified the Personal Data Protection Commission (the “Commission”) of the Incident on 17 April 2019. Facts of the Case 2 The Organisation is a multinational telecommunications conglomerate headquartered in Singapore. Through the Mobile App, the Organisation’s customers can conveniently manage the Organisation’s services including (but service numbers comprised mobile phone numbers, user IDs for the Organisation’s broadband internet services and service numbers for the Organisation’s TV services. 1 The Singapore Telecommunications Limited [2020] SGPDPC 13 not limited to) the payment of their bills, keeping track of their local mobile data usage, talk time and SMS, subscribing to a roaming plan to suit their travel needs etc. Communications between the Mobile App and the Organisation’s servers are conducted via an Application Programming Interface (“API”). This would include the retrieval of active service numbers associated with a user of the Mobile App. 3 The Organisation engaged a software services provider who was in charge of developing and introducing code changes for the purpose of code updates to the API (the “Vendor”). As part of a scheduled code update on the day of the Incident, the Vendor ma… | Not in Breach | cf1510a1a435f6eb0468b1dd403f3cf6c72407a6 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 94 | 94 | 1 | 952 | A financial penalty of $5,000 was imposed on Singapore Red Cross for breaches of the PDPA. First, the Organisation failed to put in place reasonable security arrangements to protect the personal data of its blood donors. Second, it was also found to be retaining personal data which was no longer necessary for legal or business purposes. | [
"Protection",
"Financial Penalty",
"Social Service",
"Security",
"Retention"
] |
2020-09-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Red-Cross---05052020.pdf | Protection | Breach of the Protection and Retention Limitation Obligations by Singapore Red Cross | https://www.pdpc.gov.sg/all-commissions-decisions/2020/09/breach-of-the-protection-and-retention-limitation-obligations-by-singapore-red-cross | 2020-09-10 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 16 Case No DP-1905-B3865 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Red Cross Society … Organisation DECISION Singapore Red Cross Society [2020] SGPDPC 16 Singapore Red Cross Society [2020] SGPDPC 16 Tan Kiat How, Commissioner — Case No DP-1905-B3865 5 May 2020 Facts of the Case 1 Singapore Red Cross Society (the “Organisation”) operates a website at http://www.redcross.sg (the “Website”) which allows the public to make appointments for blood donations. For this purpose, the Organisation collects personal data of individuals such as their names, contact numbers, email addresses and blood types (the “Personal Data”). The Personal Data was stored in the Organisation’s blood donor appointment database (the “Database”) accessible via the Website. 2 On 9 May 2019, the Organisation notified the Personal Data Protection Commission (the “Commission”) that unauthorised individual(s) accessed and ex-filtrated the Personal Data of approximately 4,297 individuals (“Affected Individuals”) from the Database (the “Incident”). 3 Upon being notified of the Incident, the Organisation took the following remedial actions: (a) Removed the appointment booking system on its Website in order to temporarily cease its collection of Personal Data through that channel; and (b) Revised and strengthened its internal procedures to comply with the PDPA. 1 Singapore Red Cross Society [2020] SGPDPC 16 The Commissioner’s Findings and Basis for Determination The Organisation admitted that it had contravened Section 24 of the PDPA 4 Section 24 of the Personal Data Protection Act 2012 (“PDPA”) provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). 5 The Organisation admitted that it failed to implemen… | Financial Penalty | 7bdf02b93a7a9d9facf04ceb3c80a66892a08642 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;