On 13 December 2018, the Singapore data protection commission issued four separate decisions against the following organisations, for breaches of the protection obligation under section 24 of the Personal Data Protection Act 2012 (PDPA):
- Funding Societies Pte Ltd
- WTS Automotive Services Pte Ltd
- Institute of Singapore Chartered Accountants
- SLF Green Maid Agency
The facts of this case were as follows:
- The organisation operates an online financing platform for investors and borrowers.
- There was a vulnerability on the organisation’s website, such that when a user logged in, they could access the personal details of other users of the site simply by changing a unique identifier without such identifier in both their authentication and authorisation tokens needing to match. The vulnerability lasted for 37 days and enabled the customer’s name, national registration identity card number and residential address to be accessed without authorisation.
- The commission found that an authorised user would have been able to pretend to be another user and perform functions such as using an investor’s account to contact prospective borrowers, updating a user’s personal details and even altering the auto-investment settings of an investor’s account.
The commission determined that:
- The organisation failed to put in place adequate security arrangements on its website, which led to the unauthorised access of users’ personal information and potential misuse of the accounts by unauthorized users.
- What is particularly noteworthy is the commission’s comment that it “did not consider being a young organisation to be a mitigating factor”.
- A financial penalty of $30,000 was imposed for the breach.