On 13 December 2018, the Singapore data protection commission issued four separate decisions against the following organisations, for breaches of the protection obligation under section 24 of the Personal Data Protection Act 2012 (PDPA):
- Funding Societies Pte Ltd
- WTS Automotive Services Pte Ltd
- Institute of Singapore Chartered Accountants
- SLF Green Maid Agency
The facts of this case were as follows:
- The organisation operates an online financing platform for investors and borrowers.
- There was a vulnerability on the organisation’s website, such that when a user logged in, they could access the personal details of other users of the site simply by changing a unique identifier without such identifier in both their authentication and authorisation tokens needing to match. The vulnerability lasted for 37 days and enabled the customer’s name, national registration identity card number and residential address to be accessed without authorisation.
- The commission found that an authorised user would have been able to pretend to be another user and perform functions such as using an investor’s account to contact prospective borrowers, updating a user’s personal details and even altering the auto-investment settings of an investor’s account.
The commission determined that:
- The organisation failed to put in place adequate security arrangements on its website, which led to the unauthorised access of users’ personal information and potential misuse of the accounts by unauthorized users.
- What is particularly noteworthy is the commission’s comment that it “did not consider being a young organisation to be a mitigating factor”.
- A financial penalty of $30,000 was imposed for the breach.
The facts of the case were as follows:
- The organisation provides vehicle repair and maintenance services.
- It had a backend system which was meant for internal use by staff only, for storing and accessing the personal data of customers.
- However, the commission’s investigations revealed that a customer database comprising 2,472 personal data records including customer names, national registration identity card and foreign identity numbers, residential addresses, contact numbers, email addresses and car plate registration numbers was accessible via a URL link chanced upon via a Google search.
- Two other databases were part of the same backend system, which similarly contained personal data that was also publicly available, comprising up to 5,987 records of personal data.
The commission found that:
- Neither of the IT vendors that were engaged by the organisation was responsible for failing to protect the personal data in this case. In particular:
- ZNO, which was the IT vendor engaged to develop, host and maintain the backend system, had delivered the system in 2013, which was before the relevant provisions in the PDPA came into force on 2 July 2014.
- As for QGrids, which had been engaged for the application and data migration from ZNO’s web hosting services to another third-party Singapore-based web hosting company, it was similarly not liable as the data breach in this case was not a result of the migration.
- The organisation retained full responsibility for protecting the personal data in its possession or under its control. A financial penalty of $20,000 was imposed for the breach.
Institute of Singapore Chartered Accountants (ISCA)
The facts of the case were as follows:
- ISCA is the national professional body for accountants in Singapore with about 32,000 members.
- Two employees of ISCA were unable to open an Excel file containing the personal data of 1,906 candidates of ISCA’s professional examination programme that was stored on ISCA’s internal shared drive as it appeared to be corrupted. The employees sought the assistance of ISCA’s IT department. The IT department recovered the Excel file from ISCA’s backup server.
- The recovered Excel file was attached to an email, which got mistakenly sent to a listed telecommunications service provider instead of back to the employees, due to the auto-complete feature in the email software.
- The personal data that was contained in the file included the national registration identity card and passport numbers, dates of birth, postal and email addresses, mobile numbers, employment history records, qualification records, exam results and appeal status of the ISCA candidates’ candidature.
- When the mistake was discovered, emails were sent to the telco requesting it to disregard, permanently delete and to confirm such deletion of the Excel file. All ISCA candidates whose personal data was disclosed in the Excel file were notified of the incident.
The commission’s findings were as follows:
- ISCA failed to comply with the protection obligation under the PDPA, as it did not put in place reasonable security arrangements to protect the personal data in the Excel file.
- The volume (1,906 candidates) and type (data with a higher expectation of confidentiality) of personal data warranted direct protection.
- ISCA ought to have had a policy or standard operating procedure in place requiring password-based encryption for the Excel file in respect of both external and internal emails.
- A financial penalty of $6,000 was imposed for the breach.
SLF Green Maid Agency
The facts of this case were:
- The organisation is a foreign domestic worker agency based in Singapore.
- During the course of its interactions with prospective customers, its staff reused scrap and discarded paper containing the personal data of individuals including photocopies of their national registration identity cards, foreign identity numbers, passport numbers and expiry dates, and signatures.
The commission’s grounds of decision were as follows:
- Reusing scrap paper is environmentally friendly and hence commendable; however, reasonable security measures should be put in place to prevent such paper containing personal data from being reused or given to other clients.
- Such arrangements would need to include:
- Implementing a system of processes backed up by policies; and
- Training relevant staff to be aware of the risks and to be alert to spot them.
- Neither of these measures was adopted by the organisation in this case.
- However, the commission took the view that a financial penalty was not warranted based on the circumstances of the case. Instead, it directed the organisation to review its procedures and develop a training programme for staff on data protection compliance.
- While all four decisions dealt with a failure to protect personal data pursuant to section 24 of the PDPA, the commission appears to have taken into account the severity of the impact (or potential impact) of harm arising from each of the respective breaches. For instance, where there is a greater possibility of abuse and fraud arising from the data breach, as in the case of the Funding Societies decision, then a higher penalty would be warranted.
- In addition, where the volume of personal data compromised is high (as with WTS Automotive compared to ISCA and SLF Green Maid Agency, in decreasing order), then a steeper penalty would be appropriate.
- These decisions reflect the broad range of ways in which a breach of the protection obligation could manifest – from failing to ensure that an IT system adequately protects personal data stored on it, to reusing papers with personal information physically written on them.
- Businesses should therefore carry out thorough reviews of all practices involving the processing of personal data, whether in the digital or physical form, to ensure that they are fully compliant with their data protection obligations.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.