Case Details
- Citation: [2023] SGPDPCS 4
- Court: Personal Data Protection Commission
- Date: 2023-06-09
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Autobahn Rent A Car Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2022] SGPDPC 3, [2023] SGPDPCS 4
- Judgment Length: 6 pages, 1,256 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated a personal data breach incident at Autobahn Rent A Car Pte. Ltd. (the "Organisation"), a car-sharing service provider in Singapore. The Organisation had failed to revoke the administrator account credentials of a former employee, allowing a malicious actor to gain unauthorized access to the Organisation's backend system and download personal data of 53,000 users. The PDPC found the Organisation in breach of its protection obligation under the Personal Data Protection Act 2012 (PDPA) and imposed a financial penalty as well as directed the Organisation to take remedial measures.
What Were the Facts of This Case?
On 21 October 2022, Autobahn Rent A Car Pte. Ltd. (the "Organisation") notified the Personal Data Protection Commission (the "Commission") of a personal data breach (the "Incident"). The Organisation operates a car-sharing service called Shariot in Singapore.
On 24 September 2022, the Organisation received customer feedback that a photograph on its mobile application had been replaced with a pornographic photograph. The Organisation discovered that the pornographic photograph had been uploaded through an unrevoked administrator account belonging to an ex-employee, who had left the Organisation in May 2022. The ex-employee had received an email from an unknown sender on 10 September 2022 stating that his personal laptop had been hacked and demanding Bitcoin as ransom payment. The threat actor was able to log into the Shariot's mobile application administrator portal through the administrator account belonging to the ex-employee, and used the export CSV function to download a copy of the Shariot's users' personal data.
Subsequently, on 21 October 2022, a cybersecurity solutions provider alerted the Organisation of a cybercrime forum post offering the sale of a Shariot database containing personal data. The Commission then commenced investigations to determine whether the Incident disclosed any breaches of the PDPA by the Organisation.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its protection obligation under Section 24 of the PDPA. Section 24 requires organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks".
Specifically, the Commission had to determine whether the Organisation had failed to implement reasonable security measures to prevent the unauthorized access and disclosure of the personal data of its Shariot users.
How Did the Court Analyse the Issues?
The Commission found that the Organisation had failed to ensure it had reasonable security arrangements in place to prevent the unauthorized access or disclosure of the personal data in its possession or control. Firstly, the Organisation failed to revoke the login credentials of the administrator account belonging to the ex-employee after his employment ended in May 2022. As a result, the ex-employee's administrator login credentials remained active, which enabled the malicious actor to gain access into the Organisation's network.
Secondly, the Commission noted that the Incident would not have happened if the Organisation had implemented multi-factor authentication (MFA) as an additional access control for its administrator accounts that had access to its sizeable user database. In a previous case, Re Lovebonito [2022] SGPDPC 3, the Commission had highlighted the need for organisations to strengthen access control through the use of one-time passwords or two-factor/multi-factor authentication for accounts with access to sensitive personal data.
The Commission emphasized that regardless of whether an account is an administrative account, once an account is granted access rights to a database containing sensitive personal data or a significant volume of personal data, organisations should consider implementing enhanced access controls such as MFA to better safeguard the personal data.
What Was the Outcome?
The Commission determined that the Organisation had breached the Protection Obligation under Section 24 of the PDPA. In deciding the appropriate financial penalty, the Commission considered the impact of the personal data breach on the affected individuals, the nature of the Organisation's non-compliance, and the Organisation's turnover.
While the NRIC numbers and general location data affected were less serious than if specific GPS location data had been disclosed, the Commission still found the breach to be non-insignificant. Ultimately, the Commission required the Organisation to pay a financial penalty of $3,000.
In addition to the financial penalty, the Commission also directed the Organisation to:
- Implement processes for timely revocation of system and application access upon cessation of an employee's need for access
- Strengthen access control measures for administrator accounts with access to databases holding personal data
- Conduct a security review and rectify any security gaps identified within 60 days
- Inform the Commission within 1 week of completing the directed steps
Why Does This Case Matter?
This case highlights the importance of organizations having robust access control measures, particularly for administrator accounts with access to sensitive personal data. The Commission emphasized that regardless of the type of account, if it has access to a significant volume of personal data, organizations should consider implementing enhanced security controls such as multi-factor authentication.
The case also underscores the need for organizations to have proper user account management processes, including the timely revocation of access rights upon termination of employment. Failure to do so can expose organizations to the risk of unauthorized access and data breaches, as demonstrated in this incident.
The financial penalty and remedial directions imposed by the Commission send a clear message to organizations that they must take their data protection obligations seriously and implement reasonable security measures to safeguard the personal data in their possession or control. This case serves as an important precedent for organizations in Singapore to review and strengthen their data protection practices.
Legislation Referenced
Cases Cited
- [2022] SGPDPC 3 (Re Lovebonito)
- [2023] SGPDPCS 4 (Autobahn Rent A Car Pte. Ltd.)
Source Documents
This article analyses [2023] SGPDPCS 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.