Case Details
- Citation: [2019] SGPDPC 17
- Court: Personal Data Protection Commission
- Date: 2019-06-20
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: InfoCorp Technologies Pte. Ltd.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 17
- Judgment Length: 6 pages, 1,119 words
Summary
This case concerns the unauthorized access and disclosure of personal data arising from a registration exercise for a cryptocurrency initial coin offering (ICO) conducted by InfoCorp Technologies Pte. Ltd. (the "Organisation"). The Personal Data Protection Commission (PDPC) found the Organisation in breach of its obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data in its possession. The PDPC imposed a financial penalty of S$6,000 on the Organisation for its failure to implement reasonable security arrangements to prevent the unauthorized access and disclosure of the personal data.
What Were the Facts of This Case?
The Organisation had conducted a cryptocurrency ICO registration exercise via a website it owned and managed. The registration process involved participants ("Participants") inputting personal data such as name, email address, date of birth, identification details, nationality, and residential address ("Personal Data Set"). Participants also had to upload Know-Your-Customer (KYC) documents, including identification documents, proof of residence, and a photograph of the participant holding the identification document.
The incident was caused by a vulnerability in the design of the registration form. There was no requirement built into the system to authenticate the individuals downloading the KYC documents. The URL assigned to each Participant also contained a serialized file identity ("FileID") as the last few characters, allowing Participants to access other Participants' saved KYC documents by altering the last few characters of the assigned URL. As a result, the KYC documents of 21 Participants were downloaded by 15 other Participants through this vulnerability.
The Organisation took the server offline immediately after being informed of the incident and contacted the 15 Participants who had downloaded the KYC documents, instructing them to destroy the documents not belonging to them. Prior to the incident, the Organisation had engaged a vendor to design the registration form and had considered data protection elements, such as encrypting the Personal Data Sets. However, the same level of diligence was not exercised with respect to the uploaded KYC documents.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached Section 24 of the PDPA, which requires an organization to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
The PDPC had to determine whether the Organisation had taken reasonable security arrangements to protect the personal data collected from the Participants, particularly the KYC documents, which contained sensitive personal information.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation had full possession and control over the personal data collected from the Participants and was responsible for the IT security of the website and the personal data contained therein, even though it had engaged a vendor to design the registration form.
The PDPC acknowledged that the Organisation had taken reasonable security measures to protect the Personal Data Sets by encrypting them and preventing unauthorized access by third parties. However, the PDPC found that the Organisation had not accorded sufficient protection to the KYC documents.
The PDPC noted that the Organisation had only performed standard functional tests on the website prior to launching it, and had not conducted any penetration testing or web application vulnerability scans. Had these tests and scans been performed, the well-known vulnerability that allowed Participants to access other Participants' KYC documents could have been easily detected. Given the sensitive nature of the personal data contained in the KYC documents, the PDPC found it unreasonable that the Organisation had omitted these security measures before launching the website.
The PDPC also considered the ease with which the vulnerability could be exploited by simply changing the last few numbers of the URL, which made the lack of security measures more egregious. Accordingly, the PDPC concluded that the Organisation had breached Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data in its possession.
What Was the Outcome?
Based on its findings, the PDPC directed the Organisation to pay a financial penalty of S$6,000 within 30 days, failing which interest would accrue on the outstanding amount.
In determining the appropriate penalty, the PDPC took into account several mitigating factors, including: (a) the URL was only known to Participants and not the public; (b) the KYC documents were only downloaded by a small number of Participants; (c) the exposure was for a very short time window of about 15 minutes; (d) the Organisation had taken immediate remedial actions; (e) the Organisation was cooperative during the investigation; and (f) the Organisation had promptly notified the PDPC of the incident.
Why Does This Case Matter?
This case highlights the importance of organizations implementing reasonable security measures to protect the personal data in their possession, particularly sensitive information such as KYC documents. The PDPC's decision emphasizes that organizations cannot rely solely on basic functional testing and must conduct more comprehensive security assessments, such as penetration testing and vulnerability scans, to identify and address potential vulnerabilities in their systems.
The case also demonstrates the PDPC's willingness to impose financial penalties on organizations that fail to comply with their obligations under the PDPA, even in cases where the actual harm or exposure of personal data may be limited. This sends a clear message to organizations that they must take their data protection responsibilities seriously and invest in appropriate security measures to safeguard the personal data they collect and process.
For legal practitioners, this case provides guidance on the PDPC's interpretation and application of the "reasonable security arrangements" requirement under Section 24 of the PDPA. It underscores the need for organizations to adopt a comprehensive and proactive approach to data security, rather than relying solely on basic security measures.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 17
Source Documents
This article analyses [2019] SGPDPC 17 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.