In November 2019, the Singapore Personal Data Protection Commission (PDPC) found eight organisations to be in breach of the Personal Data Protection Act 2012 (PDPA).  Of those eight, the highest quantum of financial penalties were imposed on Ninja Logistics Pte Ltd (Ninja Van) and Singapore Telecommunications Limited (Singtel) for breaching the Protection Obligation of the PDPA.

Ninja Van Decision

Logistics start-up Ninja Van provides packaging, delivery and tracking services.  Ninja Van commenced a delivery order tracking function in December 2014 which uses a “Tracking ID” as the sole means of allowing customers to enquire on their delivery statuses and to confirm the identity of individuals who collect parcels on behalf of customers.  The PDPC received a complaint that the tracking function page could potentially be used to harvest personal data.  By changing a few digits of a Tracking ID or using a random set of any nine digits that happened to match a valid Tracking ID, the personal data of another customer could be accessed.  Almost 1.3 million individuals were exposed to a risk of disclosure or unauthorised access to data including their name, address, the Tracking ID, and/or the name and signature of the person who had accepted the delivery.

The PDPC found that Ninja Van breached the PDPA and failed to put in place reasonable security arrangements to protect the personal data in its possession or control for two main reasons.

• Firstly, Ninja Van was aware of the risk of unauthorised access and disclosure from the manipulation of Tracking IDs.  For a period of three months from the commencement of the tracking function, Ninja Van experimented with a second layer of authentication to the Tracking IDs using the last four digits of a mobile number or last name.  However, that experiment ceased due to practical difficulties such as the unwillingness of retailers to disclose or customers not recalling the required information.  The PDPC found it inexcusable and unreasonable for an organisation to neglect its obligations to implement a workable security arrangement.

• Secondly, apart from a one-time exercise of archiving 2.6 million Tracking IDs in 2016, Ninja Van did not have any other procedure to remove the personal data from the tracking function page upon completion of a delivery.  Since then, the personal data at risk had accumulated to a significant volume of almost 1.3 million.  The risk of unauthorised access and disclosure would have been significantly reduced by removing the validity of a Tracking ID after a fixed period upon completion, as Ninja Van had done as part of their remedial actions.

Ninja Van was ordered to pay a S$90,000 penalty and implement a reasonable validity period for the Tracking IDs in compliance with the Protection Obligation.

Singtel Decision

Major local telco Singtel developed a mobile application (My Singtel) to enable customers to track their account information and manage add-on services.  Communications between My Singtel and Singtel’s servers were conducted through Application Programming Interfaces (API).  An anonymous informant informed the PDPC of a vulnerability in My Singtel which facilitated unauthorised access to customers’ account details by using specialised tools to manipulate the API on the server.  This was caused by a design issue in the API where the application input was not validated against login credentials used to access My Singtel before performing a requested operation (the Vulnerability).  The validation of parameters could have prevented unauthorised access to customers’ personal data.  As a result, the informant was able to access four billing accounts and extracted details including account number, address, contact number, and customer service plans.  It was noted that an estimated 330,000 customers were put at risk of unauthorised disclosure of personal data.

Despite having engaged a third-party security vendor to conduct regular penetration tests on My Singtel and backend systems, the PDPC found that Singtel failed to put in place reasonable security arrangements and subjected its customers to the risk of actual and potential unauthorised access of their personal data.

• First, the Vulnerability was a relatively basic and well-known security risk that a reasonable person would have considered necessary to detect and prevent as it was listed in 2013’s top 10 most critical web application security risks by Open Web Application Security Project.  

• Second, although the PDPC acknowledged that manipulation would require some technical knowledge, anyone with working knowledge of how a mobile application communicates with the servers through an API could have exploited the Vulnerability and the tools and software required are available online.

• Third, Singtel was also found to be aware of such vulnerabilities as they received professional third-party advice to take precautions, but they failed to conduct a full code review which would have otherwise detected the Vulnerability.  

The PDPC held that Singtel ought to have been more diligent and examined all other functions thoroughly to determine the security posture of the API and the server and implement the relevant fixes.  Given that the exploitation of the Vulnerability required some form of technical expertise, a reduced penalty of S$25,000 was imposed on Singtel.

Key Takeaway

Organisations must be prudent in the handling of customers’ personal data and implement regular in-depth testing and review of the relevant security posture.  Such assessments should cover a wider scope of testing and include references to guides on common vulnerabilities to minimise the risk of unauthorised exposure of personal data. Any vulnerabilities discovered should be resolved in a timely and proper manner.

Disclaimer: This article is for general information only and does not constitute legal advice.