Case Details
- Citation: [2018] SGPDPC 16
- Court: Personal Data Protection Commission
- Date: 2018-06-11
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Flight Raja Travels Singapore Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 16
- Judgment Length: 5 pages, 1,030 words
Summary
This case concerns a breach of the data protection obligations under the Personal Data Protection Act 2012 (PDPA) by Flight Raja Travels Singapore Pte. Ltd. (the "Organisation"). The breach occurred when a user of the Organisation's online travel booking system was able to access the personal data of 72 other individuals, including their names, passport numbers, booking details, and payment information. The Personal Data Protection Commission (PDPC) found the Organisation in breach of its obligation to make reasonable security arrangements to protect personal data under Section 24 of the PDPA. The PDPC directed the Organisation to assess its application testing procedures and implement measures to manage the risks to personal data when making changes to its systems.
What Were the Facts of This Case?
The incident occurred when a user of the Organisation's online travel booking system (the "Booking System") was able to access the personal data of 72 other individuals. The user had resumed his session after a time-out, and the Booking System then displayed 45 sets of booking records belonging to other users. This included the users' names, passport numbers, booking IDs, flight details, booking dates, amounts paid, and flight inclusions.
Prior to December 2016, the Booking System was accessed through a browser login on the Organisation's website. The Organisation then introduced a new mobile application (the "New Mobile App") that allowed access through mobile devices without login, recognizing the mobile device IDs of registered users.
The introduction of the New Mobile App led to two unintended effects. First, when newly registered users who had completed a booking through the browser resumed their sessions after a time-out, the system no longer redirected them to the homepage but instead kept them on the same page, allowing access to the "Dashboard". Second, when these newly registered users accessed the Dashboard tabs, they were able to see the booking records of other individuals, up to a maximum of 45 records.
The PDPC's investigation found that the Organisation had failed to conduct proper integration testing of the New Mobile App with the existing Booking System, which led to these unintended effects that compromised the personal data of its users.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data in its possession or under its control.
Section 24 of the PDPA requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. When an organization makes changes to a system that processes personal data, it has a duty to ensure that the changes do not compromise the protection of that personal data.
How Did the Court Analyse the Issues?
The PDPC, in its role as the regulatory authority, analyzed the facts of the case to determine whether the Organisation had breached its obligations under Section 24 of the PDPA.
The PDPC found that the Organisation had failed to conduct proper integration testing of the New Mobile App with the existing Booking System. Specifically, the PDPC noted that the Organisation did not consider how the changes would affect newly registered users who had completed bookings through the browser, as these users did not have mobile device IDs associated with their accounts.
The PDPC also found that the Organisation did not anticipate the scenario of session time-outs for these newly registered users, which led to the unintended disclosure of other users' personal data when they accessed the Dashboard tabs.
In reaching its conclusion, the PDPC considered the specific circumstances that led to the disclosure, noting that it was a relatively uncommon occurrence that required a specific set of events to happen. The PDPC also noted that the disclosure was likely limited to bona fide customers rather than other persons, and the nature of the flaw made it less readily detectable by an attacker compared to more obvious security vulnerabilities.
What Was the Outcome?
The PDPC found the Organisation in breach of Section 24 of the PDPA and issued the following directions:
- Assess whether its application testing has been complete in order to discover and remedy any risk to personal data from the changes made to introduce the new mobile application function;
- Furnish a report of the assessment as well as action taken in response; and
- Put in place procedures and processes to manage the risks to the personal data in its possession or control when making changes to its applications, by implementing testing procedures and documenting the tests conducted.
The PDPC's directions were aimed at ensuring that the Organisation took appropriate measures to identify and address any risks to personal data arising from changes to its systems, and to implement robust testing procedures to prevent similar breaches in the future.
Why Does This Case Matter?
This case is significant for several reasons:
First, it highlights the importance of organizations conducting thorough integration testing when making changes to systems that process personal data. The failure to anticipate the impact of the changes on newly registered users led to a breach of the PDPA's protection obligations.
Second, the case demonstrates the PDPC's approach to assessing the severity of a data breach and determining appropriate remedial measures. The PDPC considered the specific circumstances of the breach, including the likelihood of the disclosure and the nature of the personal data involved, in determining the appropriate directions to issue.
Third, the case provides guidance to organizations on the steps they should take to manage the risks to personal data when making changes to their systems. The PDPC's directions emphasize the importance of comprehensive testing procedures and documentation to ensure the continued protection of personal data.
Overall, this case underscores the need for organizations to prioritize data protection and security when introducing or modifying systems that handle personal data, in order to comply with their obligations under the PDPA and avoid potential enforcement action by the PDPC.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 16
Source Documents
This article analyses [2018] SGPDPC 16 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.