pdpc_decisions_version_detail (view)
2 rows where title = "Breach of the Protection Obligation by COURTS"
This data as json, CSV (advanced)
Suggested facets: _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 89 | 89 | 1 | 952 | A financial penalty of $9,000 was imposed on COURTS for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure on its website. Some members were able to gain access to personal data of another member via a link in an email sent by COURTS. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade",
"Inadequate scoping of testing",
"EDM",
"Incorrect Setting"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---COURTS-Singapore---140820.pdf | Protection | Breach of the Protection Obligation by COURTS | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-courts | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 17 Case No DP-1909-B4731 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And COURTS (Singapore) Pte Ltd. … Organisation DECISION COURTS (Singapore) Pte Ltd [2020] SGPDPC 17 Lew Chuen Hong, Commissioner — Case No DP-1909-B4731 14 August 2020 Introduction 1 On 6 September 2019, COURTS (Singapore) Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that an individual in its membership programme who had received an Electronic Direct Mail (“eDM”) from the Organisation, was able to access, without authentication, data in another individual’s account after clicking on a link (the “New eDM Link”) in the eDM (the “Incident”). Facts of the Case 2 The Organisation is a well-known consumer electronics and furniture retailer, with a number of stores in Singapore. Its membership programme, known as “homeclub by COURTS” (“Homeclub”) gives its members (“Members”) exclusive access to, among other things, events and discounts. The Organisation regularly sends eDMs to Members with links to specific products on the Organisation’s website (the “Website”). COURTS (Singapore) Pte Ltd 3 [2020] SGPDPC 17 The Organisation used a platform called Salesforce to create and send eDMs (the “Platform”) and the Website ran on the Magento system1 (the “System”), an e-commerce platform. The System generated a dynamic session identifier (“SID”) for each login to Homeclub on the Website. This SID would be used for all subsequent activities within the session. 4 On 31 August 2019, the Organisation sent an eDM to 76,844 Members (the “Affected Members”). This eDM, included for the first time, the New eDM Link, which was meant to direct Members to the Homeclub login page. The purpose of the New eDM Link was for Members to log in to their respective Homeclub accounts to update their membership identifier – Members were required to provide their mobile numbers to replace NRIC numbers that were previ… | Financial Penalty | 7b84d1c0b092675d5ee94570a80a3de93072541d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 167 | 167 | 1 | 952 | A financial penalty of $15,000 was imposed on COURTS for failing to put in place reasonable security arrangements to protect the personal data of its customers from unauthorised disclosure on its online portal. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade",
"Furniture",
"Electronics"
] |
2019-01-22 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---COURTS---220119.pdf | Protection | Breach of the Protection Obligation by COURTS | https://www.pdpc.gov.sg/all-commissions-decisions/2019/01/breach-of-the-protection-obligation-by-courts | 2019-01-22 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 4 Case No DP-1707-B0917 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And COURTS (Singapore) Pte Ltd … Organisation DECISION COURTS (Singapore) Pte. Ltd. COURTS (Singapore) Pte Ltd [2019] SGPDPC 4 Tan Kiat How, Commissioner — Case No DP-1707-B0917 22 January 2019 Background 1 On 9 July 2017, the Personal Data Protection Commission (the “Commission”) received a complaint from a customer (“Complainant”) of COURTS (Singapore) Pte Ltd (“COURTS”) stating that the http://www.courts.com.sg website (“Website”) was “unsafe for customers”. The Complainant discovered that by entering his name and e-mail address on COURTS’ Guest Login (“Guest Login Page”) for the purpose of making a purchase, the Website would automatically open another webpage (“Guest Checkout Page”) disclosing the Complainant’s contact number and address (the “Incident”). 2 Following an investigation into the matter, the Commissioner found COURTS in breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 3 The Website is owned and managed by COURTS, a leading consumer electronics and furniture retailer in Singapore with a network of 80 stores nationwide. Ebee Global Solutions Pvt Ltd (“Ebee”) was an IT vendor engaged by COURTS to develop and maintain the Guest Login Page and Guest Checkout Page (“Guest Checkout System”) that was part of the Website. At the material 2 COURTS (Singapore) Pte. Ltd. time, the process flow when a customer wished to make a purchase through the Guest Login Page was as follows: (a) The customer accesses the Website and selects an item to “Add to cart” before selecting “Proceed to checkout”; (b) The customer may choose to log into his COURTS’ HomeClub account or he may choose to “Checkout as guest user”; (c) If the customer chooses to check out as a guest user, he enters his name and email address and selects “Login as guest”; and (d) Assuming that the customer has previous… | Financial Penalty | b832b96d16d0455426470e4f2e0d82e73a0c345a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;