Ascentis Pte Ltd [2023] SGPDPC 10

Case Details

• Citation: [2023] SGPDPC 10
• Court: Personal Data Protection Commission
• Date: 2023-09-12
• Judges: Wong Huiwen Denise, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Ascentis Pte. Ltd.
• Legal Areas: Data Protection – Protection Obligation, Data Protection – Data intermediary
• Statutes Referenced: Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Incident disclosed any contraventions of the Personal Data Protection Act, Personal Data Protection Act
• Cases Cited: [2020] SGPDPR 1, [2022] SGPDPC 3, [2022] SGPDPC 8, [2023] SGPDPC 10
• Judgment Length: 14 pages, 3,084 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Ascentis Pte Ltd, the developer of an eCommerce platform for Starbucks Coffee Singapore Pte Ltd (Starbucks SG), for failing to implement reasonable security arrangements to protect the personal data of over 330,000 Starbucks rewards program members. The PDPC found that Ascentis, as a data intermediary processing personal data on behalf of Starbucks SG, had breached its obligations under the Personal Data Protection Act (PDPA) by not properly managing user accounts and access privileges, leading to a data breach incident. The PDPC imposed no direct financial penalty on Ascentis but accepted a voluntary undertaking from Starbucks SG to enhance its data protection compliance.

What Were the Facts of This Case?

Ascentis Pte Ltd is a software development company that was engaged by Starbucks SG in 2014 to develop and host a customer relationship management (CRM) system for Starbucks' rewards program. In 2020, Starbucks SG further engaged Ascentis to develop and provide technical support for an eCommerce platform (the "Platform") for Starbucks' online store.

To facilitate a seamless user experience, Ascentis implemented a process to automatically synchronize Starbucks rewards program members' personal data (including names, email addresses, phone numbers, and birthdates) from the CRM database to the Platform's own database whenever a member logged in. This meant that the personal data of over 330,000 Starbucks rewards members was stored across both the CRM database and the Platform's database.

Ascentis engaged a Vietnamese software company, Kyanon Digital, to provide additional development support for the Platform project. Kyanon employees were given full administrative access to the Platform through "Admin Accounts" that could export data from the Platform. When one of the Kyanon employees, "Peter", left the company in May 2022, his Admin Account credentials were not disabled. Instead, the Kyanon team simply changed the password and continued using the account among themselves.

Sometime between September 10-13, 2022, a malicious actor gained unauthorized access to the Platform using Peter's Admin Account, granted additional administrative privileges to other accounts, and exfiltrated the personal data of 332,774 Starbucks rewards members from the Platform's database. This data was subsequently offered for sale on the dark web.

What Were the Key Legal Issues?

The key legal issue in this case was whether Ascentis, as the developer and host of the Platform, had breached its obligations under the PDPA's "Protection Obligation" to make reasonable security arrangements to protect the personal data in its possession or under its control.

As the PDPA's Protection Obligation also applies to data intermediaries - organizations that process personal data on behalf of another organization - the PDPC had to determine whether Ascentis qualified as a data intermediary of Starbucks SG and was therefore subject to this obligation.

How Did the Court Analyse the Issues?

The PDPC first established that Ascentis was a data intermediary under the PDPA, as it was processing the personal data of Starbucks rewards members on Starbucks SG's behalf through the CRM system and Platform. As a data intermediary, Ascentis was therefore subject to the PDPA's Protection Obligation.

The PDPC then assessed whether Ascentis had implemented "reasonable security arrangements" to protect the large volume of personal data it was processing, as required by the Protection Obligation. Referring to its own advisory guidelines and guides, the PDPC highlighted that organizations should have robust policies and procedures to ensure appropriate security for personal data, including regularly reviewing and disabling user accounts when employees leave.

In Ascentis' case, the PDPC found that it had failed to implement reasonable security arrangements by not disabling the admin account of the former Kyanon employee, Peter, after he left the company. This allowed a malicious actor to gain unauthorized access to the Platform and exfiltrate the personal data of over 330,000 individuals. The PDPC noted that this was a basic security practice recommended in its guidance, and that Ascentis' failure to do so was a breach of the Protection Obligation, given the large volume and sensitivity of the personal data involved.

What Was the Outcome?

Based on its findings, the PDPC determined that Ascentis had contravened the PDPA's Protection Obligation. However, the PDPC did not impose a direct financial penalty on Ascentis.

Instead, the PDPC accepted a voluntary undertaking from Starbucks SG to implement enhanced security arrangements and improve its overall compliance with the PDPA. No further enforcement action was taken against Ascentis.

Why Does This Case Matter?

This case provides important guidance on the obligations of data intermediaries under the PDPA. It reinforces that organizations processing personal data on behalf of others must have robust security measures in place, including proper user account management, to fulfill their data protection responsibilities.

The PDPC's decision highlights that a failure to implement basic security practices, even by a data intermediary, can constitute a breach of the PDPA's Protection Obligation - especially when a large volume of sensitive personal data is involved. This case serves as a reminder to all organizations, whether data controllers or data intermediaries, to carefully review and strengthen their data protection measures to avoid similar incidents.

While the PDPC did not impose a direct financial penalty on Ascentis in this case, the acceptance of a voluntary undertaking from Starbucks SG demonstrates the PDPC's willingness to work collaboratively with organizations to improve data protection compliance. However, the PDPC has shown it will not hesitate to take stronger enforcement action, including financial penalties, in cases of serious or repeated PDPA breaches.

Legislation Referenced

• Personal Data Protection Act 2012
• Advisory Guidelines on Key Concepts in the Personal Data Protection Act

Cases Cited

• [2020] SGPDPR 1
• [2022] SGPDPC 3
• [2022] SGPDPC 8
• [2023] SGPDPC 10

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPC 10 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.