Case Details
- Citation: [2023] SGPDPCS 3
- Court: Personal Data Protection Commission
- Date: 2023-05-11
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Fortytwo Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2023] SGPDPCS 3
- Judgment Length: 6 pages, 1,446 words
Summary
This case involves an investigation by the Singapore Personal Data Protection Commission (PDPC) into a data breach incident at Fortytwo Pte. Ltd., an online furniture store. The breach occurred when malicious code injections on Fortytwo's website led to the capturing of email addresses, passwords, and payment card details of its customers. The PDPC found that Fortytwo had breached its data protection obligations under the Personal Data Protection Act (PDPA) by failing to apply critical software patches, which left its systems vulnerable to the attack. While Fortytwo cooperated with the investigation and took prompt remedial actions, the PDPC imposed a financial penalty of S$8,000 on the company for its failure to adequately protect its customers' personal data.
What Were the Facts of This Case?
On 24 December 2021, Fortytwo Pte. Ltd. (the "Organisation"), an online furniture store, notified the Personal Data Protection Commission (the "Commission") of a data breach incident on its website. The incident involved malicious code injections that led to the capturing of the email address and password of 6,241 individuals when they logged in to the website. Additionally, the name, credit card number, expiry date, and CVV/CVN number of another 98 individuals were also affected.
The Organisation requested that the matter be handled under the Commission's expedited breach decision procedure, which meant that the Organisation voluntarily provided and unequivocally admitted to the facts set out in the decision and acknowledged its breach of section 24 of the Personal Data Protection Act (the "PDPA").
The Organisation stated that it does not verify the names provided by its users and suggested that the impact of the incident might be more limited as some of the users' names may be incomplete, fictitious, or pseudonymous. However, the Commission clarified that even if some customers had provided inaccurate information, the Organisation was still responsible for protecting the personal data it had collected, regardless of its accuracy.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its data protection obligations under section 24 of the PDPA by failing to implement reasonable security measures to prevent unauthorized access and disclosure of its customers' personal data.
Another issue that arose was whether fictitious or pseudonymous personal data should be considered "personal data" under the PDPA, and how this might impact the scope of the Organisation's obligations. The Commission clarified that the PDPA applies to all personal data collected by an organisation, regardless of its accuracy or the intention behind its provision.
How Did the Court Analyse the Issues?
The Commission found that the Organisation had breached its data protection obligations under section 24(a) of the PDPA. The Organisation admitted that the data breach occurred because it had failed to apply four critical security patches released by Adobe for the Magento open-source software it was using for its online store. These patches were released between November 2017 and April 2020 to address several high-severity vulnerabilities, including the risk of malicious code injection.
The Commission noted that the Organisation had considered and evaluated the patches but decided not to install them. This decision left the Organisation's systems vulnerable to the attack that ultimately led to the breach. The Commission emphasized that it had consistently advised organisations on the importance of applying software patches promptly to address security vulnerabilities and protect against cyber-attacks.
Furthermore, the Commission found that the Organisation's failure to upgrade to a supported version of Magento software after Adobe ended support for version 1.x in June 2020 was a prolonged failure to perform the necessary upgrades, despite ample notice from Adobe.
What Was the Outcome?
Based on the facts and circumstances of the case, the Commission found the Organisation in breach of its data protection obligations under section 24(a) of the PDPA. As a result, the Commission directed the Organisation to pay a financial penalty of S$8,000 within 30 days, failing which interest would accrue on the outstanding amount.
The Commission also directed the Organisation to complete the upgrading of its website to a supported software version, including vulnerability assessment and penetration testing, within 6 months of the direction, and to inform the Commission within 14 days of the completion of the upgrade.
Why Does This Case Matter?
This case is significant for several reasons. Firstly, it reinforces the importance of organisations complying with their data protection obligations under the PDPA, particularly the requirement to implement reasonable security measures to protect personal data in their possession or control.
The case highlights the Commission's stance that organisations must take prompt action to address known security vulnerabilities, such as by applying software patches, even if they have considered and evaluated the patches. Failure to do so can result in significant consequences, as demonstrated by the financial penalty imposed on Fortytwo.
Additionally, the case clarifies the Commission's interpretation of "personal data" under the PDPA, which includes data that may be incomplete, fictitious, or pseudonymous. This underscores the need for organisations to treat all personal data they collect with the same level of care and protection, regardless of its accuracy or the intention behind its provision.
Overall, this case serves as a valuable precedent for organisations in Singapore, highlighting the importance of proactive and diligent data protection practices, and the potential consequences of failing to meet their legal obligations.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2023] SGPDPCS 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.