Case Details
- Citation: [2020] SGPDPC 1
- Court: Personal Data Protection Commission
- Date: 2020-01-02
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Creative Technology Ltd
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 10, [2020] SGPDPC 1
- Judgment Length: 6 pages, 1,937 words
Summary
This case concerns a data breach incident involving the online support forum operated by Creative Technology Ltd. In mid-2018, the forum was hacked, resulting in the unauthorized disclosure of personal data of its users. The Personal Data Protection Commission found that Creative Technology Ltd had failed to implement reasonable security measures to protect the personal data, in breach of its obligations under the Personal Data Protection Act 2012. The Commission directed Creative Technology Ltd to pay a financial penalty of $15,000.
What Were the Facts of This Case?
Creative Technology Ltd operated an online support forum (the "Forum") for its products. In November 2018, the Personal Data Protection Commission was informed that the Forum had been hacked sometime in mid-2018, resulting in the unauthorized disclosure of personal data of its users.
The Forum was set up by Creative Technology Ltd in 2004 and used a third-party forum software called "vBulletin" from 2011 onwards. Unknown to Creative Technology Ltd, the vBulletin software had a SQL vulnerability that could allow hackers to extract information from the platform using SQL injection techniques. The vBulletin developers had released patches to address this vulnerability in 2016, but Creative Technology Ltd had not installed these patches at the time of the incident.
On 25 May 2018, an unknown hacker exploited the vBulletin vulnerability to obtain personal data of Forum users from the Forum's database. The personal data accessed and extracted included usernames, hashed and salted passwords, email addresses, and IP addresses. Optional personal data such as age, date of birth, and contact details were also accessible if a user's password was used to log into their account.
Creative Technology Ltd first became aware of the incident on 4 June 2018, when it was notified by a security researcher that he had received a set of user data extracted from the Forum. The company subsequently found that 484,512 user account information had been accessed and extracted in the incident, of which 173,763 were legitimate email addresses.
What Were the Key Legal Issues?
The key legal issue in this case was whether Creative Technology Ltd had complied with the "Protection Obligation" under Section 24 of the Personal Data Protection Act 2012 (PDPA). Section 24 requires an organization to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
The Personal Data Protection Commission had to determine whether Creative Technology Ltd had put in place reasonable security arrangements to protect the personal data of its Forum users.
How Did the Court Analyse the Issues?
The Commission found that Creative Technology Ltd had failed to put in place reasonable security arrangements to protect the personal data, for two main reasons:
First, the company had not patched or updated its version of the vBulletin software since 2015, three years prior to the incident. This allowed the hacker to exploit the known SQL vulnerability in the outdated software to gain unauthorized access to the user data. The Commission emphasized that regular security patching is important for organizations to minimize vulnerabilities in their systems.
Secondly, the Commission found that Creative Technology Ltd's use of the MD5 algorithm to hash user passwords was no longer sufficiently secure. The MD5 algorithm is susceptible to certain attacks, and if the hashed passwords were compromised, it could lead to the disclosure of other personal data. The Commission noted that the vBulletin developers had since moved to a more secure bcrypt algorithm for password hashing.
The Commission rejected Creative Technology Ltd's argument that it had deleted the user database to comply with the data retention obligations under the PDPA. The Commission stated that the company should have retained the database offline for a reasonable period, as the data breach was significant and could have led to potential complaints or investigations. The hasty deletion of the database within two weeks of discovering the incident prejudiced the Commission's ability to verify the number of affected individuals.
What Was the Outcome?
The Personal Data Protection Commission found Creative Technology Ltd in breach of the Protection Obligation under Section 24 of the PDPA. The Commission directed the company to pay a financial penalty of $15,000 within 30 days.
In determining the penalty, the Commission took into account several mitigating factors, such as the company's cooperation during the investigation, its implementation of remedial measures, and the relatively low sensitivity of the personal data involved. However, the Commission also considered the company's hasty deletion of the user database as an aggravating factor that prejudiced the investigation.
Why Does This Case Matter?
This case provides important guidance on the obligations of organizations under the PDPA to protect personal data in their possession. It highlights the importance of implementing reasonable security measures, such as regularly updating software and using secure password hashing algorithms, to prevent data breaches.
The case also underscores the need for organizations to carefully consider their data retention practices, even in the aftermath of a data breach incident. The Commission made it clear that organizations should retain relevant records and data for a reasonable period, as they may be required for potential investigations or legal proceedings.
The decision serves as a reminder to all organizations handling personal data in Singapore to review their data protection practices and ensure they are compliant with the PDPA's requirements. Failure to do so can result in significant financial penalties and reputational damage.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 10
- [2020] SGPDPC 1
Source Documents
This article analyses [2020] SGPDPC 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.