The May 2022 PDPC Incidents and Undertaking — Privacy Ninja
The May 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, six (6) cases have been issued covering the financial penalties of Southaven Boutique, PINC Interactive, and Lovebonito; the warning given to Toll Logistics (Asia) and others, and the decisions given to Singapore Telecommunications (Singatel) and Royal Caribbean Cruises (Asia) stating that they are not guilty of a data breach.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the May 2022 cases with the latest cybersecurity updates to date.
May 19: Southaven Boutique’s breach of the Data Protection Obligations
Our first case of PDPC incidents and undertaking involves Southaven Boutique. On February 5, 2021, the organization notified the PDPC of a ransomware attack that occurred on or about February 4, 2021. With this incident, a threat actor was able to access the organization’s Point-Of-Sale (POS) system server, and 4,709 customers’ personal data was encrypted.
The personal data affected include names, addresses, email addresses, contact numbers, and date of birth. Upon investigation, it was revealed that the organization was not able to implement adequate administrative and technical security arrangements.
It was also uncovered that the organization neglected to set up any data protection obligations or duties with the POS vendor whom the organization had chosen to provide and install the POS and relied on for system service issues. This meant that the organization did not, in fact, engage the POS provider to offer the essential maintenance support.
With this Incident, Southaven Boutique was made to pay a financial penalty of S$5,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that the POS server is kept secure and free from any access to bad actors.
May 19: PINC Interactive’s breach of the Data Protection Obligations
Our second case of PDPC incidents and undertaking involves PINC Interactive. On February 2, 2020, the PDPC received feedback about a Twitter post that revealed that the personal data of www.pincstyle.com had been exposed.
Upon investigations, it was revealed that sometime in October 2019, the organization’s Staging Database comprising 252,813 records were accessed and exfiltrated. This database is a synthetic database containing the personal data of 3,916 actual users, while the remaining 248,897 records were fake or “dummy” data modeled after the real data.
It was found out that there were two likely causes of the incident: First, the organization’s developers kept a copy of the Staging Database on their personal devices. When their computers were compromised, the database was exfiltrated. Second, the unauthorized access may have occurred because the organization did not require authentication for the Application Programming Interface (API) being tested, which pointed to the Staging Database containing the personal information of actual users despite the Staging Database being accessible via the Internet.
With this Incident, PINC Interactive was made to pay a financial penalty of S$12,500 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that the Staging Database was free from any external access, especially that it contains not only synthetic data but also personal data of real individuals.
May 19: Lovebonito’s breach of the Data Protection Obligations
Our third case of PDPC incidents and undertaking involves Lovebonito. On December 12, 2019, the organization informed the PDPC that one of its I.T. systems had been hacked and that 5,561 personal data of its customers had been affected. There were also two complaints from individuals who were affected by the incident.
The organization operates an e-commerce platform retailing clothing and accessories. Lovebonito employed two third-party solutions to manage its website. It employed Magento Cloud, a cloud-based service, to host and run the website, and Adyen N.V., a payment platform, to facilitate the credit card payments on the website.
When a customer specified that they would be paying by credit card, Adyen’s platform would load immediately from their servers within the “checkout” page of the website. The organization would then store the Partial Credit Card Data together with other details collected by the organization for the purposes of processing the order.
On or around November 22, 2019, the organization noted a high drop in credit card authorizations for payments via Adyen’s platform, and upon investigation, it was found out that its Checkout Page had been configured to load an incorrect form.
With this, the Credit Card Data intended to be sent to Adyen to be intercepted and exfiltrated was sent to the bad actor instead.
With this Incident, Lovebonito was made to pay a financial penalty of S$29,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification disposal, or similar risks.
Those who suffered a fine: What we can get from these cases
We can get from these cases the importance of appointing a DPO who is responsible for ensuring that organizations comply with the PDPA and making sure that they have healthy cybersecurity hygiene. One of the jobs of a DPO is to ensure that any vulnerabilities within the organization’s system are patched up so that instances such as ransomware attacks will not happen in the future.
DPOs also make sure that any possible point of entry for bad actors and the ways to get there are as tight as possible by employing policies for employees to follow and raising awareness for them so that data breaches that have a consequence of financial penalties can be avoided.
Every organization should always remember that the financial penalty not only represents a monetary obligation, it may also represent a loss of trust for the customers who might think that their personal data is not as safe as they think.
May 2022 PDPC Incidents and Undertaking: A warning was issued to Toll Logistics (Asia) and others
Our next case involves Toll Logistics and others where the PDPC issued a warning in respect of their breach of the Data Protection Obligation, specifically the Transfer Limitation Obligation. On June 11, 2020, Toll Holdings notified the PDPC of a ransomware attack where the Group’s I.T. systems containing personal data were infected.
The ransomware infestation affected both the current and the former employee’s personal data, and this led to three subsequent complaints that they received from former employees.
This all started when Toll Holdings contracted a vendor in Ireland for the Group’s use of the H.R. Vendor’s human resources software platform (H.R. Platform). To facilitate the use of the common H.R. Platform, the Group uploaded the personal data of their employees to the H.R. Platform.
Prior to the Incident, Toll Holdings’ Chief Human Resources Officer extracted personal data relating to 1,748 of the organization’ current and former employees from the H.R. Platform and transmitted them to their server in Australia. Toll Holdings represented that this personal data was transferred for the purposes of performing services for the Organizations.
However, a malicious actor gained access to Toll Holdings’ I.T. environment in Australia using credentials stolen from a third-party vendor. Having gained access to the Group’s I.T. environment, the malicious actor used advanced malware and a range of hacking tools to move through the Group’s network, conduct reconnaissance, and escalate account privileges.
Fortunately, Toll Logistics and others were only issued a warning after it was found out that the access to the transferred personal data was limited to entities within the same corporate group, and that there was no evidence of any loss or damage resulting from the Organizations’ contravention of the Transfer Limitation Obligation, and that the Group already implemented intra-group contractual arrangements to govern future transfers of personal data.
What we can learn from this case is the importance of proactively putting security arrangements to protect the personal data that an organization may hold. With this in place, this will serve as a mitigating factor to offset a potential financial penalty.
In this case, although there was a successful infiltration of the bad actors to one of the servers of the Group, they were spared a whopping fine simply by being able to lay out an intra-group contractual arrangement to govern the future transfers of personal data.
May 2022 PDPC Incidents and Undertaking: No breach occurred
For our remaining cases completing the month of May, we have Singapore Telecommunications (Singatel) and Royal Caribbean Cruises (Asia), where the PDPC decided that they were not in breach of the PDPA and were not given a financial penalty or a warning.
May 19: Singapore Telecommunications (Singatel) not breaching the PDPA
Our next case involves Singapore Telecommunications (Singatel), where the PDPC decided that they were not in breach of the PDPA. On February 10, 2021, the organization notified the PDPC of a personal data breach that had occurred through the exploitation of zero-day vulnerabilities in a File Transfer Appliance (FTA) provided by a third-party system.
This incident affected 9,921 files containing personal data that were exfiltrated, including their name, NRIC number, FIN, UIN, nationality, date of birth, address, email address, mobile number, photograph, staff, company pass or I.D., bank account number, credit card information (with expiry date), billing information, and vehicle number were affected.
Investigations found out that the organization had a license to use the FTA with Accellion Pte Ltd, an FTA developer. Accordingly, the discovery and rectification of the zero-day vulnerabilities within the FTA system fell within the sole responsibility and control of the developer.
With this, Singatel was free from any liability due to the breach and will not cover any consequences which may come under such breach.
May 19: Royal Caribbean Cruises (Asia) not breaching the PDPA
Our last case for this month involves Royal Caribbean Cruises (Asia) where the PDPC also decided that it did not breach the PDPA. On April 5, 2018, the PDPC received a complaint that a member of the public received the personal data of unrelated individuals in an email payment reminder sent by the organization.
The personal data of 526 individuals were inadvertently disclosed to other unrelated members of the public via unintended email payment reminders. This caused the disclosure of booking I.D.s, ship codes, sailing dates, names, net amounts due, amounts paid, balance due, and the balance due date.
The organization is part of the Royal Caribbean Group and is the wholly-owned subsidiary and data intermediary of the USA-based Royal Caribbean Cruises Ltd (RCL). RCL’s branch office in the Philippines (RCL Philippines) provides I.T. support to entities within the Royal Caribbean Group and does not have a separate legal identity from RCL.
Upon investigation, it was found out that the Data Breach Incident occurred because RCL Philippines made an error in the coding of the email parameters in the Structured Query Language (SQL) script leading to the Collated Payment Reminders being sent to the first customers in the mailing lists instead of the organization.
With this, the PDPC held that since a coding error occurred within RCL Philippines’ operations and that the Data Breach Incident did not arise from the organization’s business functions, Royal Caribbean Group did not breach the PDPA.
What we can get from these cases
We can get from these cases the importance of laying out the roles and functions of third parties when it comes to incidents of data breaches. These cases give us an idea that when an organization contracts a vendor and there has been a breach, it will not necessarily mean that the organization will face the consequences of such breach.
Oftentimes, when there is a contractual obligation between the organization and the vendor, and the functions of the vendor are laid clearly, the PDPC will make the vendor accountable when the breach occurs upon the official functions of the third party without interference from the organization as the data controller.