Case Details
- Citation: [2022] SGPDPC 9
- Court: Personal Data Protection Commission
- Date: 2022-12-21
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Eatigo International Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Financial Penalty
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2020] SGPDPC 10, [2020] SGPDPC 15, [2021] SGPDPC 11, [2021] SGPDPCR 1, [2022] SGPDPC 6, [2022] SGPDPC 9
- Judgment Length: 23 pages, 5,699 words
Summary
This case before the Personal Data Protection Commission of Singapore concerns a data breach incident involving Eatigo International Pte. Ltd., an online restaurant reservation platform. The Commission found that Eatigo had failed to maintain a proper personal data asset inventory and implement reasonable security arrangements to protect the personal data in its possession, resulting in the unauthorized access and potential exfiltration of data belonging to approximately 2.76 million of its users. The Commission determined that Eatigo had breached its obligations under the Personal Data Protection Act 2012 and imposed a financial penalty on the organization.
What Were the Facts of This Case?
Eatigo International Pte. Ltd. (the "Organisation") operates an online platform that allows users to make restaurant reservations and receive incentives such as discounts. In the course of its operations, Eatigo collects and processes the personal data of its users.
On 29 October 2020, the Personal Data Protection Commission (the "Commission") was notified by a third party about a possible data leak by Eatigo. A cache of personal data suspected to be from Eatigo's database was being offered for sale on an online forum (the "Incident").
Eatigo's investigations revealed that the personal data for sale on the online forum did not match any of its current databases, but matched the structure of a legacy database (the "Affected Database") that contained user data as of late 2018. This Affected Database was previously hosted on the infrastructure of a Cloud Service Provider in Singapore, but was no longer actively used by Eatigo after it migrated to a new online platform in 2018. However, the Affected Database was retained to support the data migration process and was not properly accounted for in Eatigo's systems.
The Commission found that the Affected Database was accessible from the internet and did not have adequate security measures in place, such as password rotation rules. Eatigo was also unable to determine how or when the unauthorized access and potential exfiltration of the data occurred, as it did not maintain a personal data asset inventory or access logs for the Affected Database.
What Were the Key Legal Issues?
The key legal issue in this case was whether Eatigo had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (the "PDPA") to protect the personal data in its possession or under its control by taking reasonable security steps or arrangements.
Specifically, the Commission had to determine whether Eatigo had failed to implement reasonable security arrangements to prevent unauthorized access to the Affected Database, and whether its lack of a comprehensive personal data asset inventory contributed to this failure.
How Did the Court Analyse the Issues?
The Commission noted that for organizations with substantial personal data assets, the maintenance of an accurate and up-to-date personal data asset inventory is a pre-requisite for complying with the protection obligation under the PDPA. By failing to properly account for the Affected Database in its inventory, Eatigo was unable to ensure that the appropriate security measures were in place to protect the personal data stored within it.
The Commission also emphasized that the nature and volume of personal data contained in the Affected Database, which included sensitive information such as passwords and Facebook access tokens for approximately 2.76 million individuals, necessitated a higher level of security arrangements. However, the Commission found that Eatigo had failed to implement reasonable security measures, such as proper password management, access controls, and monitoring systems, to safeguard this significant personal data asset.
In assessing the reasonableness of Eatigo's security arrangements, the Commission referred to its Advisory Guidelines on Key Concepts in the PDPA, which state that the appropriate level of security measures should be determined based on the nature of the personal data and the potential impact on affected individuals if the data is compromised. Given the scale and sensitivity of the personal data involved in this case, the Commission concluded that Eatigo's security measures were inadequate and fell short of the reasonable steps required under the PDPA.
What Was the Outcome?
Based on its findings, the Commission determined that Eatigo had breached its obligations under Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data in the Affected Database from unauthorized access.
As a result, the Commission imposed a financial penalty of S$90,000 on Eatigo. The Commission noted that Eatigo had voluntarily admitted liability and taken various remedial actions, such as securing and deleting the Affected Database, improving access controls and security settings, and providing staff training on data protection and security.
Why Does This Case Matter?
This case serves as an important reminder to organizations that the maintenance of a comprehensive personal data asset inventory is a fundamental requirement for compliance with the PDPA's protection obligation. By failing to properly account for and secure a legacy database containing a significant volume of personal data, Eatigo left itself vulnerable to a data breach incident that could have had serious consequences for its users.
The Commission's decision emphasizes that organizations must be proactive in identifying and securing all personal data assets under their possession or control, even if those assets are no longer actively used. Neglecting to do so can result in significant financial penalties and reputational damage, as well as expose affected individuals to potential harm from the unauthorized disclosure of their personal information.
This case also highlights the importance of implementing robust security measures commensurate with the nature and volume of personal data an organization handles. The Commission's guidance on the need for a higher level of security for sensitive personal data, such as passwords and access tokens, provides a clear benchmark for organizations to consider when designing their data protection frameworks.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2020] SGPDPC 10
- [2020] SGPDPC 15
- [2021] SGPDPC 11
- [2021] SGPDPCR 1
- [2022] SGPDPC 6
- [2022] SGPDPC 9
Source Documents
This article analyses [2022] SGPDPC 9 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.