Carousell Pte. Ltd. [2023] SGPDPC 13

Case Details

• Citation: [2023] SGPDPC 13
• Court: Personal Data Protection Commission
• Date: 2023-12-28
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Carousell Pte. Ltd.
• Legal Areas: Data Protection – Protection Obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2020] SGPDPC 10, [2020] SGPDPC 14, [2021] SGPDPC 6, [2023] SGPDPC 13
• Judgment Length: 16 pages, 3,010 words

Summary

In this decision, the Personal Data Protection Commission (the "Commission") found that Carousell Pte. Ltd. ("Carousell") had breached its obligations under the Personal Data Protection Act 2012 ("PDPA") to protect the personal data of its users. The Commission's investigation focused on two data breach incidents that occurred in 2022, where Carousell's platform experienced vulnerabilities that led to the unauthorized access and disclosure of its users' personal data.

The Commission determined that Carousell had failed to conduct proper pre-launch testing and implement adequate security measures to prevent such data breaches, thereby contravening the PDPA's protection obligation. The decision outlines the details of the two incidents, Carousell's remedial actions, and the Commission's analysis and findings on Carousell's breaches of the PDPA.

What Were the Facts of This Case?

Carousell Pte. Ltd. operates an online marketplace platform for the buying and selling of new and second-hand goods and services. In 2022, Carousell notified the Commission of two separate data breach incidents involving the unauthorized access and disclosure of its users' personal data.

The first incident ("1st Incident") occurred in July and August 2022, when Carousell implemented changes to the chat function on its platform. Due to human error, these changes caused the chat function to automatically append the email addresses and names of both registered and guest users to messages sent to listing owners, without the users' consent. This resulted in the disclosure of the personal data of 44,477 individuals across Singapore, Malaysia, Indonesia, Taiwan, and the Philippines.

The second incident ("2nd Incident") occurred in May and June 2022, when Carousell launched a public-facing Application Programming Interface (API) during a system migration process. Carousell inadvertently omitted to apply a necessary filter on the API, resulting in a vulnerability that allowed a threat actor to scrape the non-public personal data (email addresses, telephone numbers, and dates of birth) of at least 2.6 million Carousell users.

What Were the Key Legal Issues?

The key legal issue in this case was whether Carousell had breached its obligations under Section 24 of the PDPA to protect the personal data of its users. Section 24 requires organizations to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks to personal data in their possession or under their control.

The Commission's investigation focused on two aspects of Carousell's conduct: (1) its failure to conduct proper pre-launch testing of new IT features and changes, and (2) its insufficient implementation of administrative and technical security measures to prevent the data breaches.

How Did the Court Analyse the Issues?

In its analysis, the Commission emphasized the importance of proper pre-launch testing to identify and rectify data protection risks and defects before deploying new IT features or changes. The Commission cited its previous decisions, such as Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10, which highlighted the need for organizations to conduct thorough code reviews and pre-launch testing to prevent unintended disclosure or access to personal data.

The Commission found that Carousell's pre-launch testing was inadequate, as evidenced by the bugs that led to the unauthorized disclosure of personal data in both the 1st and 2nd Incidents. The Commission noted that Carousell should have conducted more comprehensive testing to identify and address these vulnerabilities before deploying the changes to its platform.

Additionally, the Commission examined Carousell's implementation of administrative and technical security measures to protect its users' personal data. The Commission found that Carousell's security arrangements were insufficient, as demonstrated by the successful exploitation of the vulnerabilities in its API and chat function by threat actors. The Commission emphasized that organizations must implement robust security measures, including regular security audits, anomaly detection, and penetration testing, to fulfill their protection obligations under the PDPA.

What Was the Outcome?

Based on its findings, the Commission determined that Carousell had breached its protection obligation under Section 24 of the PDPA in relation to both the 1st and 2nd Incidents. The Commission acknowledged the remedial actions taken by Carousell, such as deleting the affected personal data, notifying users, and implementing various security improvements. However, the Commission concluded that Carousell's initial failures to conduct proper pre-launch testing and implement adequate security measures led to the data breaches, which constituted contraventions of the PDPA.

Why Does This Case Matter?

This case is significant as it reinforces the importance of data protection obligations for organizations handling personal data. The Commission's decision highlights the need for organizations to prioritize data protection and security, particularly when implementing new IT features or changes to their systems.

The case underscores the Commission's emphasis on the importance of pre-launch testing and the implementation of robust security measures to prevent unauthorized access and disclosure of personal data. Organizations must conduct thorough code reviews, pre-launch testing, and regular security audits to identify and address potential vulnerabilities before deploying new systems or features.

Furthermore, this decision serves as a reminder to organizations that they will be held accountable for breaches of the PDPA's protection obligation, even if they take remedial actions after the fact. The Commission's findings and the imposition of liability on Carousell in this case send a clear message to all organizations handling personal data in Singapore to prioritize data protection and security as a critical aspect of their operations.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2020] SGPDPC 10 (Management Corporation Strata Title Plan No. 3400)
• [2020] SGPDPC 14 (Grabcar Pte Ltd)
• [2021] SGPDPC 6 (SAP Asia Pte Ltd)
• [2023] SGPDPC 13 (Carousell Pte. Ltd.)

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPC 13 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.