Case Details
- Citation: [2019] SGPDPC 29
- Court: Personal Data Protection Commission
- Date: 2019-07-30
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Friends Provident International Limited
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 29
- Judgment Length: 7 pages, 1,306 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Friends Provident International Limited, a company that provides life assurance services in Singapore, had breached its obligation under the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its policyholders. The breach occurred due to a vulnerability in the company's online portal that allowed unauthorized policyholders to access and download reports containing the personal data of other policyholders. While the PDPC issued a warning to the company, it recognized that the potential for misuse of the disclosed data was relatively low and that the company had promptly remedied the issue upon learning of the breach.
What Were the Facts of This Case?
Friends Provident International Limited (the "Organisation") is a company established in the Isle of Man that provides life assurance services in Singapore through a registered branch office. In the course of its operations, the Organisation maintains an online portal (the "Portal") through which its policyholders can request changes to their personal information, such as contact details.
The Organisation's policyholders and authorized personnel could access the Portal via a "Secured Mailbox" webpage on the Organisation's website (the "Secured Mailbox Webpage"). Authorized personnel could generate reports containing the data of policyholders who had made requests through the Portal (the "Reports"). These Reports were stored in the Portal and could be accessed by the Organisation's authorized personnel.
The ability to generate and access the Reports was intended to be restricted to the Organisation's authorized personnel. To achieve this, the "Report" tab, which enabled the generation and access of the Reports, was hidden from policyholders when they accessed the Secured Mailbox Webpage. However, due to a faulty JavaScript within the Secured Mailbox Webpage, the "Report" tab was visible to policyholders when they resized their desktop internet browser to a smaller size or accessed the Secured Mailbox Webpage via a mobile device (the "Vulnerability"). As no additional verification or authorization was required to access the "Report" tab, policyholders were able to generate and download the Reports containing the personal data of other policyholders.
The exploitability of the Vulnerability likely existed since 30 September 2017 when the Secured Mailbox Webpage was introduced. On 12 December 2017, one of the Organisation's policyholders discovered that he could generate and download Reports from the Portal that contained the names, policy numbers, and regions of residence of other policyholders. The policyholder reported this to the Monetary Authority of Singapore, which in turn notified the Organisation of the incident (the "Reported Breach"). The Organisation was previously unaware of the Vulnerability.
After the Reported Breach, the Organisation determined that before the Vulnerability was fixed, 42 Reports had been produced and downloaded by 21 policyholders or their advisors, affecting a total of 240 individuals, 11 of whom had their policy numbers disclosed.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its policyholders in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, disclosure, and similar risks.
Specifically, the PDPC had to determine whether the Organisation's measures to restrict access to the Reports were sufficient, and whether the testing of the Secured Mailbox Webpage was adequate to address the risk of unauthorized access to the personal data contained in the Reports.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation had not made reasonable security arrangements to protect the personal data of its policyholders, and was therefore in breach of Section 24 of the PDPA, for two main reasons.
First, the PDPC found that the manner in which the Organisation restricted access to the Reports was insufficient to prevent unauthorized access. Once a user gained access to the Secured Mailbox Webpage and could view the "Report" tab, no further authorization or verification was required to generate and download the Reports. The PDPC stated that this was insufficient, as there could be various ways in which the hidden tab could be revealed, even without the faulty JavaScript.
Second, the PDPC found that the Organisation's testing of the Secured Mailbox Webpage was inadequate. Given that the Secured Mailbox Webpage was intended for use across a variety of devices and screens, the PDPC stated that testing should have been conducted across multiple browsers and devices. The PDPC noted that simply accessing the Secured Mailbox Webpage on a mobile device as part of its tests would have revealed the Vulnerability to the Organisation.
What Was the Outcome?
Taking the totality of the circumstances into account, the PDPC decided to issue a warning to the Organisation for its contravention of Section 24 of the PDPA. In reaching this conclusion, the PDPC noted that the potential for misuse of the personal data disclosed was relatively low because the data was not of a nature where identity theft could be committed. The PDPC also recognized that the Organisation had promptly notified the Commission and implemented remedial actions upon learning of the Reported Breach.
Why Does This Case Matter?
This case is significant for several reasons:
First, it highlights the importance of implementing robust and comprehensive security measures to protect personal data, even for seemingly simple online portals. The PDPC made it clear that merely hiding sensitive functionality from unauthorized users is not sufficient, and that organizations must have proper authorization and verification mechanisms in place.
Second, the case emphasizes the need for thorough testing of web applications across a range of devices and screen sizes. The PDPC noted that the Organisation's failure to test the Secured Mailbox Webpage on mobile devices and different screen resolutions contributed to the breach, underscoring the importance of comprehensive testing to identify and address potential vulnerabilities.
Finally, the case demonstrates the PDPC's willingness to take enforcement action against organizations that fail to meet their data protection obligations, even in cases where the potential for harm is relatively low. The warning issued to the Organisation serves as a reminder to all organizations handling personal data in Singapore to prioritize data protection and implement appropriate security measures.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 29
Source Documents
This article analyses [2019] SGPDPC 29 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.