MyRepublic Limited [2022] SGPDPC 5

Case Details

• Citation: [2022] SGPDPC 5
• Court: Personal Data Protection Commission
• Date: 2022-08-05
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: MyRepublic Limited
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Personal Data Protection Act, Personal Data Protection Act 2012, Telecommunications Act, Telecommunications Act 1999
• Cases Cited: [2021] SGPDPC 11, [2022] SGPDPC 5
• Judgment Length: 10 pages, 2,689 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated a data breach incident involving MyRepublic Limited, a telecommunications operator in Singapore. The PDPC found that MyRepublic had failed to implement reasonable security arrangements to protect the personal data of its customers, in breach of the Protection Obligation under the Personal Data Protection Act 2012 (PDPA). The breach resulted in the unauthorized access and exfiltration of sensitive personal data belonging to nearly 80,000 of MyRepublic's customers.

What Were the Facts of This Case?

MyRepublic Limited is a telecommunications operator in Singapore that holds a Facilities-Based Operations (FBO) license under the Telecommunications Act. Customers applying for mobile services with MyRepublic would submit their customer identity verification and number portability documents (known as "KYC documents") through MyRepublic's Mobile Order Portal. These KYC documents, which contained sensitive personal data such as NRIC numbers, photographs, and thumbprints, were then stored in a cloud storage bucket hosted on Amazon Web Services (AWS).

The access to this cloud storage bucket was restricted through the use of an access key (the "Access Key"). However, the Access Key was stored in the source code of MyRepublic's Portal, making it potentially accessible to MyRepublic's developers. On 29 August 2021, MyRepublic became aware that an external actor had accessed and exfiltrated the KYC documents from the cloud storage bucket using the Access Key. The external actor threatened to publish the downloaded customer data unless a ransom was paid.

Investigations revealed that the external actor had likely obtained the Access Key through two vulnerabilities in MyRepublic's systems: (1) the disclosure of the Access Key in the Portal's functionality that displayed technical information, and (2) the disclosure of the Access Key in the Portal's source code repository, which was accessible to all of MyRepublic's developers. As a result, the personal data of 79,388 of MyRepublic's customers was accessed and exfiltrated, including sensitive information such as NRIC numbers, photographs, and thumbprints.

What Were the Key Legal Issues?

The key legal issue in this case was whether MyRepublic had breached the Protection Obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA). Section 24 of the PDPA requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

The PDPC had to assess the reasonableness of MyRepublic's security arrangements to protect the sensitive personal data of its customers, given the high volume and sensitivity of the data involved. The PDPC also had to consider MyRepublic's obligations as a telecommunications operator holding an FBO license under the Telecommunications Act, which required it to maintain and retain certain customer records, including copies of NRIC and other identity documents.

How Did the Court Analyse the Issues?

The PDPC found that MyRepublic had failed to implement sufficiently robust processes to manage the Access Key, which allowed access to the customer data stored in the AWS cloud storage bucket. Specifically, the PDPC noted that MyRepublic had left the Access Key publicly accessible through a "PHP Info" functionality in its Portal, which allowed anyone who knew or could guess the URL to obtain the Access Key and access the customer data.

The PDPC also found that MyRepublic had failed to implement reasonable security controls for its AWS environment. The PDPC cited the guidance in the AWS Reference Guide, which advises users to protect access keys as they provide unrestricted access to all resources in the AWS account. However, MyRepublic had not implemented sufficiently robust processes to protect the Access Key, leading to its unauthorized disclosure and the subsequent breach.

In assessing the reasonableness of MyRepublic's security arrangements, the PDPC considered the high volume and sensitivity of the personal data involved. The customer data included NRIC numbers, photographs, thumbprints, and other sensitive information that could enable identity theft and other forms of harm. Given the nature and volume of the data, the PDPC concluded that MyRepublic should have implemented stronger security measures to protect it.

What Was the Outcome?

The PDPC found that MyRepublic had breached the Protection Obligation under Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of its customers. As a result of the breach, the personal data of 79,388 individuals was accessed and exfiltrated by an unauthorized external actor.

To address the breach, MyRepublic undertook various remedial actions, including revoking the compromised Access Key, removing the environment configuration files that exposed the Access Key, restricting access to the cloud storage buckets, and implementing other security improvements to its systems. MyRepublic also notified the affected customers, recommended actions to minimize the risks of identity fraud and social engineering, and offered six months of complimentary credit monitoring services.

Why Does This Case Matter?

This case is significant as it highlights the importance of organizations, particularly those handling large volumes of sensitive personal data, implementing robust and comprehensive security measures to protect such data. The PDPC's decision emphasizes that organizations cannot simply rely on their cloud service providers to ensure the security of the data they store in the cloud. Organizations have a duty under the PDPA to make reasonable security arrangements to protect personal data under their control, regardless of where it is stored.

The case also serves as a cautionary tale for organizations that may have sensitive personal data stored in their systems, even if it is not the core focus of their business. As demonstrated by MyRepublic, the failure to properly secure such data can have significant consequences, including the risk of data breaches, reputational damage, and regulatory enforcement action.

Ultimately, this decision underscores the need for organizations to continuously review and strengthen their data security practices, especially as the threat landscape evolves and new vulnerabilities are discovered. By prioritizing data protection and implementing robust security controls, organizations can better safeguard the personal information entrusted to them and mitigate the risks of costly and damaging data breaches.

Legislation Referenced

• Advisory Guidelines on Key Concepts in the Personal Data Protection Act
• Personal Data Protection Act
• Personal Data Protection Act 2012
• Telecommunications Act
• Telecommunications Act 1999

Cases Cited

• [2021] SGPDPC 11
• [2022] SGPDPC 5

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2022] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.