Case Details
- Citation: [2023] SGPDPC 6
- Court: Personal Data Protection Commission
- Date: 2023-05-16
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 10, [2023] SGPDPC 6
- Judgment Length: 10 pages, 1,983 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated E-Commerce Enablers Pte. Ltd. ("the Organisation") for a data breach incident that resulted in the unauthorised access and exfiltration of its customers' personal data. The PDPC found that the Organisation had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data in its possession. Specifically, the PDPC determined that the Organisation failed to have sufficiently robust processes for managing its AWS access keys, and did not conduct regular security reviews to ensure the proper rotation and deletion of these keys.
What Were the Facts of This Case?
E-Commerce Enablers Pte. Ltd. operates an online platform that offers cashback, coupons, and price comparison features for users. At the time of the incident, the Organisation hosted its customer database on virtual servers in an Amazon Web Services (AWS) cloud environment.
The Organisation employed a 12-person Site Reliability Engineering (SRE) team responsible for maintaining its infrastructure and cloud environment on AWS, including ensuring the security of the AWS access keys. On 4 June 2019, a senior member of the SRE team inadvertently committed the Organisation's AWS access key with full administrative privileges (the "AWS Key") to a private GitHub repository. This was discovered and the key was removed on 6 June 2019, but it remained viewable in GitHub's commit history.
On 21 June 2019, the AWS Key was supposed to be deleted and replaced as part of a key rotation process. However, the SRE team member in charge of the rotation failed to fully disable and remove the AWS Key. As a result, the AWS Key remained usable to access the Organisation's AWS environment, including the customer data servers, for the next 15 months.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data in its possession or under its control.
Specifically, the PDPC's investigation focused on whether the Organisation had failed to implement sufficiently robust processes for managing its AWS access keys, and whether it had failed to conduct regular security reviews to ensure the proper rotation and deletion of these keys.
How Did the Court Analyse the Issues?
In analysing the first issue, the PDPC rejected the Organisation's argument that the compromise of the AWS Key was simply a one-off case of human error by a senior SRE team member. The PDPC explained that organisations cannot solely rely on their employees to perform their duties properly as a security arrangement to protect personal data. There must be additional processes and verifications in place to ensure that critical security tasks are properly completed.
The PDPC noted that for a high-risk task like the rotation of an AWS key that grants full administrative access to the entire AWS environment, it was particularly important for the Organisation to have additional safeguards. For example, the PDPC suggested that the Organisation could have implemented a practice of having a supervisor or another SRE team member test a sample of the old keys to verify that they had been properly disabled.
On the second issue, the PDPC found that the Organisation had failed to conduct regular security reviews to ensure that the AWS keys had been properly rotated and deleted. Such reviews could have detected that the AWS Key remained active and had been used in the 15 months leading up to the incident.
The PDPC acknowledged that the Organisation had taken some remedial measures after the incident, such as implementing a more secure process for issuing temporary, time-limited AWS keys to the SRE team. However, the PDPC noted that the Organisation should also review its incident management processes, as it had taken 15 days to conduct the key rotation after the initial compromise was discovered.
What Was the Outcome?
Based on its findings, the PDPC determined that the Organisation had breached its obligations under section 24 of the PDPA to make reasonable security arrangements to protect the personal data in its possession.
In determining the appropriate financial penalty to impose on the Organisation, the PDPC considered various aggravating and mitigating factors. On the aggravating side, the PDPC noted the Organisation's lack of sufficiently robust incident management processes, which led to a 15-day delay in responding to the exposure of the AWS Key, as well as the fact that the AWS Key was exposed for a prolonged period of 15 months.
On the mitigating side, the PDPC acknowledged that the Organisation had taken prompt remedial actions, including notifying affected individuals, and had been cooperative during the investigation. The PDPC also noted that the Organisation had voluntarily acknowledged its failure to ensure proper rotation and deletion of the AWS Key.
After weighing these factors, the PDPC imposed a financial penalty on the Organisation, the amount of which was not specified in the published judgment.
Why Does This Case Matter?
This case provides important guidance on the obligations of organisations under the PDPA to implement reasonable security arrangements to protect the personal data in their possession or control.
The PDPC's decision emphasizes that organisations cannot solely rely on their employees to perform critical security tasks, such as the rotation and deletion of high-privilege access keys. Organisations must have additional processes and verifications in place to ensure the proper completion of these tasks, especially for high-risk activities.
The case also highlights the importance of regular security reviews to detect any lapses or failures in an organisation's security measures. The PDPC found that the Organisation's failure to conduct such reviews contributed to the prolonged exposure of the AWS Key, which ultimately led to the data breach incident.
This judgment serves as a valuable precedent for organisations in Singapore, reminding them of the need to implement robust and comprehensive security measures to protect the personal data in their possession, in accordance with their obligations under the PDPA.
Legislation Referenced
Cases Cited
- [2017] SGPDPC 10 (Re DataPost Pte Ltd)
- [2023] SGPDPC 6 (E-Commerce Enablers Pte. Ltd.)
Source Documents
This article analyses [2023] SGPDPC 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.