Chizzle Pte. Ltd. [2019] SGPDPC 44

Case Details

• Citation: [2019] SGPDPC 44
• Court: Personal Data Protection Commission
• Date: 2019-11-26
• Judges: Tan Kiat How, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Chizzle Pte. Ltd.
• Legal Areas: Data protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2018] SGPDPC 1, [2018] SGPDPC 12, [2018] SGPDPC 26, [2019] SGPDPC 1, [2019] SGPDPC 44, [2020] SGPDPCR 1
• Judgment Length: 6 pages, 1,382 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that Chizzle Pte. Ltd. had breached its obligation under section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data of its users. The breach occurred when an unauthorized party gained access to Chizzle's database through a vulnerability in the phpMyAdmin tool, leading to the deletion of the database and a ransom demand. The PDPC imposed a financial penalty on Chizzle and directed the company to take various remedial measures to improve the security of its mobile application and IT systems.

What Were the Facts of This Case?

Chizzle Pte. Ltd. (the "Organisation") operates a mobile application (the "Mobile App") designed to connect learners and teachers in Singapore, Australia, and India. On 31 July 2018, the Organisation notified the PDPC of a cyberattack (the "Incident") that had compromised the personal data of about 2,213 users of the Mobile App, including some users in Singapore (the "Affected Individuals").

The Incident occurred on 30 July 2018, when the Organisation noticed that the Mobile App had stopped responding. It was found that an unauthorized party had deleted the Organisation's database containing the personal data of the Affected Individuals (the "Chizzle Database") and left a ransom demand. The personal data compromised included the names, dates of birth, genders, email addresses, and some mobile numbers and residential addresses of the Affected Individuals (the "Compromised Personal Data").

The Organisation believed that the unauthorized party had gained entry into the Chizzle Database through the phpMyAdmin tool, a MySQL database administration tool that was part of the Organisation's IT infrastructure. The phpMyAdmin tool was configured to allow remote access from the Internet, and the Organisation believed that the unauthorized party had gained access through a brute force attack, although it did not have logs to prove this. Regardless, the unauthorized party was able to gain full control over the Chizzle Database, including the ability to read, write, and delete data.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its obligation under section 24 of the PDPA to protect the personal data of its users by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal of the data.

Section 24 of the PDPA requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access and similar risks. The PDPC had to determine whether the Organisation had fulfilled this obligation or whether it had failed to take reasonable security measures to protect the Compromised Personal Data.

How Did the Court Analyse the Issues?

The PDPC found that the Organisation had failed to conduct any security review of its IT system, including the phpMyAdmin tool, despite past PDPC decisions highlighting the need for such reviews. The Organisation claimed that it was not even aware that the phpMyAdmin tool was part of its system and that it had no need for the tool.

The PDPC stated that a reasonable security review would have included a review of all web-connected features of the Organisation's system, which would have identified the phpMyAdmin tool. The review would have given the Organisation the opportunity to determine whether to retain the tool and, if so, to address its security requirements. However, the Organisation failed to conduct such a review, missing the chance to prevent the unauthorized entry into the Chizzle Database through the phpMyAdmin tool.

The PDPC concluded that the Organisation had not made reasonable security arrangements to protect the Compromised Personal Data and was therefore in breach of section 24 of the PDPA. The PDPC noted that past PDPC decisions had made clear the need for organizations to conduct security reviews of their IT systems.

What Was the Outcome?

In view of the breach of section 24 of the PDPA, the PDPC directed the Organisation to pay a financial penalty of $8,000. The PDPC also issued several other directions to the Organisation to ensure its compliance with the PDPA, including:

• Engaging qualified personnel to conduct a security audit of its mobile application and IT system
• Furnishing a schedule for the security audit and providing a full report to the PDPC
• Rectifying any security gaps identified in the audit
• Developing an IT security policy to guide its employees on the security of personal data
• Reviewing and revising its developmental processes to adopt a data protection by design approach for future enhancements to the mobile application
• Informing the PDPC in writing of the completion of each of the above directions

The PDPC noted that the financial penalty was reduced from the originally proposed amount to avoid imposing a crushing burden on the Organisation, given its dire financial standing as evidenced by the submitted financial statements and bank account statements.

Why Does This Case Matter?

This case is significant for several reasons:

First, it reinforces the importance of organizations making reasonable security arrangements to protect the personal data in their possession, as required by section 24 of the PDPA. The PDPC has made it clear that a failure to conduct security reviews of IT systems and address known vulnerabilities can constitute a breach of this obligation.

Second, the case highlights the need for organizations to adopt a data protection by design approach when developing and maintaining their IT systems and applications. The PDPC directed the Organisation to review its developmental processes to incorporate data protection considerations, which is a best practice for ensuring the security and privacy of personal data.

Finally, the case demonstrates the PDPC's willingness to tailor the financial penalties it imposes based on the financial circumstances of the organization, in order to avoid undue hardship. While financial penalties are meant to reflect the seriousness of the breach, the PDPC recognized that a crushing penalty could potentially push the Organisation out of business, and therefore reduced the amount accordingly.

Overall, this case provides valuable guidance for organizations on the importance of implementing robust security measures to protect personal data, and the consequences they may face for failing to do so.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2018] SGPDPC 1
• [2018] SGPDPC 12
• [2018] SGPDPC 26
• [2019] SGPDPC 1
• [2019] SGPDPC 44
• [2020] SGPDPCR 1

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 44 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.