Case Details
- Citation: [2022] SGPDPC 3
- Court: Personal Data Protection Commission
- Date: 2022-02-21
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Lovebonito Singapore Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012, Unauthorised Code
- Cases Cited: [2016] SGPDPC 22, [2017] SGPDPC 18, [2018] SGPDPC 8, [2019] SGPDPC 43, [2019] SGPDPC 11, [2019] SGPDPC 31, [2019] SGPDPC 47, [2020] SGPDPCR 1, [2022] SGPDPC 3
- Judgment Length: 17 pages, 4,761 words
Summary
This case involves an investigation by the Personal Data Protection Commission (PDPC) into a data breach incident at Lovebonito Singapore Pte. Ltd., an e-commerce platform that retails clothing and accessories. The PDPC found that Lovebonito failed to implement reasonable security arrangements to protect the personal data of its customers, including their order details and credit card information, in contravention of the Personal Data Protection Act 2012 (PDPA). The PDPC imposed a financial penalty on Lovebonito for its breaches.
What Were the Facts of This Case?
Lovebonito Singapore Pte. Ltd. (the "Organisation") operates an e-commerce platform (the "Website") that sells clothing and accessories. The Organisation employed two third-party solutions to manage the Website: Magento Cloud, a cloud-based service that hosted and ran the Website, and Adyen N.V., a payment platform that facilitated credit card payments on the Website.
When customers made purchases on the Website, they would input their credit card details, including the full card number, expiry date, CVV number, and billing address, into Adyen's payment frame on the checkout page. Adyen would then process the payment and send some of this credit card data (the "Partial Credit Card Data") back to the Organisation, which the Organisation would store together with other customer details (the "Order Data").
On or around 22 November 2019, the Organisation noticed a high drop in credit card authorisations for payments via Adyen's platform and began investigating. It was discovered that the checkout page had been configured to load an incorrect form that was not submitted through the Organisation's Magento Content Management System (CMS) or validated by its employees. This incorrect form had intercepted and exfiltrated the customers' full credit card details (the "Credit Card Data") to a malicious actor.
Further investigations revealed that one of the Organisation's Magento CMS accounts with administrator privileges had likely been compromised, and this account was used to modify the checkout page and access and exfiltrate the Order Data and Credit Card Data. In total, the personal data of 5,561 customers was accessed and exfiltrated in the incident.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Order Data and Credit Card Data constituted "personal data" under the PDPA.
2. Whether the Organisation had contravened section 24 of the PDPA, which requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that both the Order Data and the Credit Card Data constituted "personal data" under the PDPA. The Order Data could directly identify individuals, while the Credit Card Data, although not identifying individuals on its own, could do so when combined with the Order Data that the Organisation had access to.
On the second issue, the PDPC examined the reasonableness of the Organisation's security arrangements, noting that stronger security measures are required when protecting sensitive personal data like financial information. The PDPC found that the Organisation had failed to implement reasonable security arrangements in several key areas:
1. Inadequate password policy: The Organisation's password policy for its Magento CMS accounts did not mandate periodic password changes or prevent the use of easily-guessable passwords, despite the availability of these features in Magento CMS.
2. Lack of two-factor authentication: The Organisation did not implement two-factor authentication for its Magento CMS accounts, despite the availability of this security feature.
3. Insufficient access controls: The Organisation had not adequately reviewed and refined the scope of roles and permissions for its Magento CMS user accounts, allowing the compromised account to be used to access and exfiltrate the personal data.
4. Inadequate monitoring and detection: The Organisation did not have sufficient measures in place to detect and alert on suspicious activities, such as unauthorized API calls or JavaScript injections, that could have helped identify the breach earlier.
What Was the Outcome?
Based on the PDPC's findings, the Organisation was found to have contravened section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of its customers. The PDPC imposed a financial penalty of S$60,000 on the Organisation.
Why Does This Case Matter?
This case is significant for several reasons:
1. It highlights the importance of implementing robust and comprehensive security measures to protect sensitive personal data, especially financial information, in line with industry best practices and regulatory guidance.
2. It emphasizes the need for organizations to regularly review and strengthen their access controls, password policies, and monitoring capabilities to detect and respond to potential security breaches.
3. The PDPC's decision serves as a reminder to organizations that they will be held accountable for failing to meet their data protection obligations under the PDPA, even if the breach was caused by a third-party compromise of their systems.
4. The case provides valuable guidance to organizations on the specific security measures expected by the PDPC to fulfill the "reasonable security arrangements" requirement under the PDPA, such as mandatory password changes, two-factor authentication, and effective access controls and monitoring.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Act
- Unauthorised Code
Cases Cited
- [2016] SGPDPC 22
- [2017] SGPDPC 18
- [2018] SGPDPC 8
- [2019] SGPDPC 43
- [2019] SGPDPC 11
- [2019] SGPDPC 31
- [2019] SGPDPC 47
- [2020] SGPDPCR 1
- [2022] SGPDPC 3
Source Documents
This article analyses [2022] SGPDPC 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.