Case Details
- Citation: [2021] SGPDPC 11
- Court: Personal Data Protection Commission
- Date: 2021-09-15
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Commeasure Pte Ltd
- Legal Areas: Data Protection – Protection obligation, Data Protection – Data intermediary
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2021] SGPDPC 11, [2017] PDP Digest 160, [2019] PDP Digest 317
- Judgment Length: 9 pages, 2,173 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated a data breach incident at Commeasure Pte Ltd, a hotel booking platform operator in Singapore. The PDPC found that Commeasure had failed to implement reasonable security arrangements to protect the personal data of over 5.8 million customers, in breach of the Personal Data Protection Act 2012 (PDPA). The breach occurred due to Commeasure embedding an AWS access key in a publicly available Android application, which allowed unauthorized access to the company's customer database. The PDPC determined that Commeasure's failure to properly manage its IT assets and conduct rigorous security reviews contributed to the breach, and imposed a financial penalty on the organization.
What Were the Facts of This Case?
Commeasure Pte Ltd is a Singapore-based company that operates the hotel booking platform www.reddoorz.com, serving customers in Southeast Asia. In September 2020, Commeasure notified the PDPC that its customer database containing 5,892,843 records had been accessed and exfiltrated by unknown threat actors.
Investigations revealed that the breach occurred because an AWS access key was embedded within an Android application package (APK) that was publicly available for download on the Google Play Store. This AWS access key provided unrestricted access to Commeasure's production customer database hosted on Amazon RDS. The affected APK was created in 2015 when Commeasure was a startup, and was mistakenly marked as a "test" key by the developers, even though it had access to the live production database.
Commeasure had engaged a cybersecurity company to conduct security reviews and penetration testing in 2019, but the affected APK and AWS access key were not included in the scope of these reviews, as Commeasure had wrongly treated the APK as "defunct". As a result, the vulnerability remained undetected until the data breach incident occurred.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether Commeasure had failed to make reasonable security arrangements to protect the personal data of its customers, in breach of the protection obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA).
2. Whether Commeasure, as the organization that engaged a data intermediary (AWS) to store its customer data, remained responsible for implementing reasonable security measures to protect that data under the PDPA.
How Did the Court Analyse the Issues?
In analysing the first issue, the PDPC noted that even though Commeasure's customer database was hosted on AWS servers, the data remained under Commeasure's control, and the company was therefore responsible for making reasonable security arrangements to protect it.
The PDPC found that Commeasure's act of embedding the AWS access key, which was effectively the company's "username and password" to the production database, in a publicly available APK was a clear security risk and a breach of the PDPA's protection obligation. The PDPC cited AWS's own guidance cautioning users against embedding access keys directly into code.
The PDPC also found fault with Commeasure's failure to include the affected APK and AWS access key in the scope of its regular security reviews and audits. The PDPC stated that Commeasure's explanation that the APK was considered "defunct" was unacceptable, as the company remained responsible for the security of all its IT assets, regardless of staff turnover or changes.
On the second issue, the PDPC relied on its previous decision in Re The Cellar Door Pte Ltd, which held that an organization remains responsible under the PDPA for making reasonable security arrangements to protect personal data, even if it is held by a data intermediary on the organization's behalf.
What Was the Outcome?
Based on its findings, the PDPC determined that Commeasure had breached Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data in its possession or control.
As a result, the PDPC imposed a financial penalty of S$90,000 on Commeasure. The PDPC also required Commeasure to engage a qualified independent third-party to conduct a comprehensive review of its personal data protection policies and practices, and to implement all recommendations from the review.
Why Does This Case Matter?
This case is significant for several reasons:
1. It reinforces the PDPC's position that organizations remain responsible for the security of personal data under their control, even if that data is stored or processed by a third-party data intermediary. Organizations cannot simply outsource their data protection obligations.
2. The case highlights the importance of organizations maintaining a comprehensive inventory of all IT assets, including legacy or "defunct" systems, and ensuring that they are subject to regular security reviews and audits. Overlooking or disregarding certain assets can expose significant vulnerabilities.
3. The decision serves as a warning to organizations that embedding sensitive access credentials, such as AWS keys, directly into application code is a serious security risk that can lead to data breaches. Proper key management practices are essential.
4. The substantial financial penalty imposed on Commeasure demonstrates the PDPC's willingness to take strong enforcement action against organizations that fail to meet their data protection obligations under the PDPA.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2021] SGPDPC 11
- [2017] PDP Digest 160
- [2019] PDP Digest 317
Source Documents
This article analyses [2021] SGPDPC 11 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.