The Personal Data Protection Commission directed COURTS (Singapore) Pte Ltd t...

Insights

Data breach by COURTS

Date
February 26, 2019
Author
OrionW

On 22nd January 2019, the Personal Data Protection Commission (PDPC) directed COURTS (Singapore) Pte Ltd (COURTS) to pay a S$15,000 penalty for breaching Section 24 (Protection Obligation) of the Personal Data Protection Act 2012.

The matter arose from a complaint relating to the operation of COURTS’ website (Website).  Customers wishing to make a purchase on the Website could check out either with their COURTS account, if they had one, or as a guest.  To check out as a guest, a customer was required to enter their name and email address.  To provide guests with a smoother check-out process, if the customer’s email address matched an email address previously used to make a purchase on the Website, the contact number and residential address (Personal Data Set) associated with that email address in COURTS’ database would be automatically displayed on the guest check-out page even if the name entered did not match the name previously used with that email address.  In short, simply using an email address, which is widely shared and readily searchable on public platforms, would enable anyone to access another individual’s Personal Data Set.

The PDPC ruled that using an email address as the sole login credential fell short of the standard required under the Protection Obligation to prevent unauthorised access of personal data.  The PDPC also found that COURTS failed to conduct penetration tests, security scans and maintenance of its Website since its launch, thereby neglecting its responsibility to put in place adequate security arrangements to protect its customers’ personal data as required under the Protection Obligation.

In determining the amount of financial penalty, the PDPC considered as aggravating factors the lack of sufficient security arrangements, the long period of risk of unauthorised disclosure and COURTS’s lack of initiative to gather more information regarding the complained incident.  However, the PDPC also found as mitigating factors the limited number of persons at risk from the security breach, the lack of actual loss or damage and COURTS’s implementation of measures to prevent recurrence.

Key takeaways

  • Organisations should not compromise on security in favour of a smoother check-out process online.  Data collected from guest user check-outs should be erased from a server even if customers will have to re-enter their personal data for each new purchase.
  • Organisations should carry out a full audit of their personal data processes and employ additional security measures such as penetration tests for their websites.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Please read our Privacy Policy. You can unsubscribe at any time.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
contact us
OrionW LLC
Level 37, 16 Collyer Quay
Collyer Quay Centre
Singapore 049318

OrionW is a boutique law firm specialising in Singapore and cross-border corporate, commercial and regulatory matters, with a focus on technology, media and telecommunications (TMT) and financial technology (FinTech). We are dedicated to providing excellent legal service to clients at the leading edge of their markets.

OrionW LLC (UEN 201505714C) is a Singapore law practice incorporated with limited liability.