Case Details
- Citation: [2018] SGPDPC 29
- Court: Personal Data Protection Commission
- Date: 2018-12-13
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Funding Societies Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Personal data
- Statutes Referenced: Personal Data Protection Act 2012 (PDPA)
- Cases Cited: [2017] SGPDPC 14, [2017] SGPDPC 18, [2018] SGPDPC 29
- Judgment Length: 13 pages, 2,941 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated Funding Societies Pte. Ltd., the operator of an online financing platform, for a data breach that exposed the personal data of its members. The PDPC found that Funding Societies failed to implement reasonable security measures to protect its members' personal data, including sensitive financial information, in breach of its obligations under the Personal Data Protection Act 2012 (PDPA). The PDPC ordered Funding Societies to improve its data protection practices and processes.
What Were the Facts of This Case?
Funding Societies operates an online platform that connects borrowers and investors. Individuals who use the platform must register for an account, either as an "Investor" or a "Borrower" (collectively, "Members"). Each Member is given a unique identifier, known as a "MemberID", which is generated sequentially.
On 25 July 2017, one of Funding Societies' Members, referred to as Mr. J, informed the company that he had discovered a vulnerability in the website that allowed him to access the personal data of two other Members. Funding Societies immediately investigated the issue and found that the vulnerability had existed since 19 June 2017, when the company had rolled out new system components for the website.
The vulnerability stemmed from Funding Societies' decision to decouple the authentication and authorization processes on the website. When a Member logged in, their browser would receive two tokens: an authentication token containing the Member's MemberID, and an authorization token, also containing the same MemberID. The website's security system was designed to only verify the validity of the authentication token, without ensuring that the MemberIDs in both tokens matched.
As a result, a logged-in Member could access another Member's data by simply changing the MemberID in the authorization token. Funding Societies became aware of this vulnerability on 7 July 2017, but did not immediately implement a complete fix, leading to the data breach that occurred on 25 July 2017.
What Were the Key Legal Issues?
The key legal issue in this case was whether Funding Societies had complied with its data protection obligations under Section 24 of the PDPA. Section 24 requires organizations to protect the personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
The PDPC had to determine whether Funding Societies' security measures were reasonable, given the sensitivity of the personal data it held, which included financial information such as bank account details and wallet account balances.
How Did the Court Analyse the Issues?
The PDPC found that Funding Societies did not have reasonable security arrangements in place to prevent the unauthorized access, use, and disclosure of its Members' personal data. First, the PDPC noted that Funding Societies' decision to decouple the authentication and authorization processes was a "deliberate design decision" to enable "stateless API development", but the company failed to implement a security measure to ensure that the two tokens carried the same MemberID before granting access to data. This was a "fundamental mistake" that left a "glaring vulnerability" in the website.
Second, the PDPC found that Funding Societies did not adequately test the security of its website. While the company claimed to have conducted testing prior to the rollout of the new components, it was unable to provide documentation of such testing. The PDPC emphasized that more rigorous testing was necessary, especially given the sensitive nature of the personal data involved.
The PDPC also noted that Funding Societies took 37 days to fully address the vulnerability, despite being aware of it for 18 days before the data breach occurred. The PDPC considered this delay unacceptable, especially for a vulnerability that was so obvious that it had been discovered by the company's own engineer.
What Was the Outcome?
Based on its findings, the PDPC concluded that Funding Societies had breached its data protection obligations under Section 24 of the PDPA. The PDPC ordered Funding Societies to implement a number of remedial measures, including:
- Introducing a more robust logging system to track unauthorized access to user account data
- Forming an internal quality assurance team and implementing documentation requirements for testing
- Applying secure connection technologies, such as Transport Layer Security (TLS), to all websites and web applications handling personal data
- Storing documents containing personal data in private, authenticated storage buckets
- Developing and implementing policies and procedures to manage future rollouts of new system components
The PDPC did not impose a financial penalty on Funding Societies, but the company was required to report to the PDPC on the implementation of the remedial measures within three months.
Why Does This Case Matter?
This case is significant for several reasons. First, it underscores the importance of organizations implementing robust and comprehensive security measures to protect the personal data in their possession, especially sensitive information like financial data. The PDPC made it clear that a "fundamental mistake" in the design of Funding Societies' website security system was unacceptable, and that more rigorous testing was necessary.
Second, the case highlights the PDPC's willingness to closely scrutinize an organization's data protection practices and hold it accountable for any failures, even if no actual harm or misuse of the data occurred. The PDPC emphasized that the mere risk of unauthorized access was sufficient to constitute a breach of the PDPA's protection obligations.
Finally, this case serves as a valuable precedent for organizations operating in Singapore's digital economy. It sends a clear message that the PDPC takes data protection seriously and will not hesitate to order remedial measures to address vulnerabilities and improve security practices, even in the absence of a significant data breach incident.
Legislation Referenced
- Personal Data Protection Act 2012 (PDPA)
Cases Cited
- [2017] SGPDPC 14 (Re Aviva Ltd)
- [2017] SGPDPC 18 (Credit Counselling Singapore)
- [2018] SGPDPC 29 (Funding Societies Pte. Ltd.)
Source Documents
This article analyses [2018] SGPDPC 29 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.