Case Details
- Citation: [2019] SGPDPC 31
- Court: Personal Data Protection Commission
- Date: 2019-08-26
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Learnaholic Pte. Ltd.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 1, [2017] SGPDPC 12, [2017] SGPDPC 2, [2018] SGPDPC 17, [2019] SGPDPC 31
- Judgment Length: 14 pages, 3,761 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Learnaholic Pte. Ltd., an IT vendor providing attendance-taking and e-learning systems to schools, had failed to make reasonable security arrangements to protect the personal data of approximately 47,802 students, students' parents, and staff. The breach occurred when Learnaholic's actions created a vulnerability in the school's system, which was then exploited by a hacker to gain access to the personal data stored in the representative's email account.
What Were the Facts of This Case?
Learnaholic Pte. Ltd. was an IT vendor that provided attendance-taking and e-learning systems to schools, including one particular school (the "School"), pursuant to a contract with the Ministry of Education (MOE). In March 2016, the School informed Learnaholic of an intermittent problem with the attendance system at the school's guard post. To investigate the issue, Learnaholic decided to troubleshoot the problem remotely using remote desktop software (VNC Server) and modified the school's firewall to allow external access to the guard post cluster.
Learnaholic also disabled the password for the VNC Server, effectively creating a vulnerability in the school's system. The representative conducting the remote troubleshooting forgot to close the open port and restore the school's original firewall configuration after the troubleshooting was completed. This combination of actions allowed a hacker to gain unauthorized access to the guard post cluster.
The hacker was able to retrieve a configuration file stored on the guard post cluster, which contained the login credentials for the representative's work email account. The representative's email account contained the unencrypted personal data of approximately 47,802 staff, students, and students' parents from various schools, including names, NRIC numbers, contact information, and medical information for 372 students.
The breach was only discovered in February 2017 by the Singapore Police Force during the investigation of a separate hacking incident. The PDPC was then informed and commenced its own investigation.
What Were the Key Legal Issues?
The key legal issue in this case was whether Learnaholic had fulfilled its obligations under Section 24 of the Personal Data Protection Act (PDPA) to protect the personal data in its possession by making reasonable security arrangements to prevent unauthorized access and similar risks.
Specifically, the PDPC had to determine whether Learnaholic's actions in modifying the school's firewall, disabling the password for remote access, and failing to properly secure the configuration file containing login credentials amounted to a breach of the PDPA's protection obligation.
How Did the Court Analyse the Issues?
The PDPC found that Learnaholic had failed to make reasonable security arrangements to protect the personal data in its possession, and therefore breached the protection obligation under Section 24 of the PDPA.
First, the PDPC found that Learnaholic's actions in opening a port in the school's firewall to allow remote access, while simultaneously disabling the password for the remote access, created a vulnerability that was ultimately exploited by the hacker. The PDPC noted that Learnaholic did not inform the school about the changes made to the firewall configuration, which was a "clear security lapse borne from convenience."
Second, the PDPC found that the configuration file containing the representative's email login credentials should have been stored only on the school's attendance server, but was inadvertently copied to the guard post cluster where the vulnerability existed. This allowed the hacker to obtain the login credentials and gain access to the representative's email account, where the unencrypted personal data was stored.
The PDPC emphasized that Learnaholic's approach to securing the login credentials, by simply listing them in a "jumbled up or random manner," fell "far below the level of sophistication" expected for protecting such sensitive information.
What Was the Outcome?
Based on its findings, the PDPC concluded that Learnaholic had breached the protection obligation under Section 24 of the PDPA. The PDPC did not impose a financial penalty on Learnaholic, but directed the company to: 1. Conduct a comprehensive review of its data protection policies and practices, and implement appropriate measures to address the shortcomings identified in this case; 2. Engage an independent third-party to audit its data protection practices and report the findings to the PDPC; and 3. Provide a copy of the audit report and details of the remedial actions taken to the PDPC within 6 months.
Why Does This Case Matter?
This case is significant for several reasons: 1. It highlights the importance of organizations making reasonable security arrangements to protect the personal data in their possession, as required by the PDPA. The PDPC's findings make it clear that merely relying on convenience or a "jumbled up" approach to securing sensitive information is not sufficient to meet the PDPA's protection obligation. 2. The case serves as a warning to organizations that any actions taken to facilitate remote access or troubleshooting, such as modifying firewall configurations, must be carefully considered and implemented with appropriate security measures in place. Failing to do so can create vulnerabilities that can be exploited by hackers. 3. The PDPC's decision emphasizes the need for organizations to have robust data protection policies and practices, and to regularly review and audit these measures to ensure they remain effective. The remedial actions required of Learnaholic underscore the PDPC's commitment to ensuring organizations take appropriate steps to address data protection shortcomings. 4. This case provides valuable guidance for practitioners on the PDPC's interpretation and application of the protection obligation under the PDPA, which can inform the development of data protection strategies and compliance programs.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 1
- [2017] SGPDPC 12
- [2017] SGPDPC 2
- [2018] SGPDPC 17
- [2019] SGPDPC 31
Source Documents
This article analyses [2019] SGPDPC 31 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.