Case Details
- Citation: [2019] SGPDPC 11
- Court: Personal Data Protection Commission
- Date: 2019-06-06
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Ncode Consultant Pte Ltd
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 1, [2017] SGPDPC 19, [2018] SGPDPC 26, [2019] SGPDPC 11
- Judgment Length: 11 pages, 2,526 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found Ncode Consultant Pte Ltd, a school administrative system developer, in breach of its obligations under the Personal Data Protection Act 2012 (PDPA) to implement reasonable security arrangements to protect the personal data of students stored in its NTRIX school management system. The breach occurred when six students exploited a SQL injection vulnerability in NTRIX to gain unauthorized access to teachers' login credentials and view and modify students' personal data, including examination results.
The PDPC determined that Ncode failed to detect and fix the SQL injection vulnerability, as well as to properly encrypt or hash the passwords stored in NTRIX, despite being contractually required to comply with the Ministry of Education's IT security specifications. The PDPC emphasized that the failure to prevent unauthorized modification of personal data, such as examination results, is a serious breach that can cause significant harm to affected individuals.
The case highlights the importance for organizations handling personal data to have adequate security measures in place and to ensure their technical staff are properly trained in IT security best practices.
What Were the Facts of This Case?
Ncode Consultant Pte Ltd (Ncode) is a school administrative system developer that has been working with schools since 1994. Ncode supplied its NTRIX School Management system to various schools, including Victoria School, which is organized and conducted directly by the Ministry of Education (MOE).
In December 2017, the Government Technology Agency of Singapore, on behalf of MOE, reported to the PDPC that the NTRIX system for Victoria School had suffered a total of 84 unauthorized logins between August 3 and October 17, 2017. The investigation revealed that six students were able to obtain teachers' login credentials by exploiting a SQL vulnerability in NTRIX, and then use those credentials to access the system and view and modify students' personal data.
At the time of the incident, there were 2,792 records of students' personal data stored in Victoria School's instance of NTRIX, which could include information such as student names, admission numbers, residential addresses, mobile numbers, parents' names and contact details, subject proficiency ratings, examination scores, and examination summary ratings. The unauthorized access and modification exposed this personal data to the risk of further unauthorized use.
The investigations also found that the passwords stored in NTRIX were merely encoded in Base64, rather than properly encrypted or hashed, making them easily decoded using publicly available tools. Additionally, the NTRIX system had other vulnerabilities, such as broken session management and cross-site scripting, which were undetected and could have also exposed the personal data to unauthorized access.
What Were the Key Legal Issues?
The key legal issue in this case was whether Ncode had complied with its obligations under Section 24 of the PDPA to implement reasonable security arrangements to protect the personal data of students stored in the NTRIX system.
The PDPC had to determine whether Ncode, as the developer and provider of the NTRIX system to Victoria School, was acting as a data intermediary and therefore subject to the protection obligation under the PDPA. The PDPC also had to assess the adequacy of the security measures implemented by Ncode to safeguard the personal data against unauthorized access and modification.
How Did the Court Analyse the Issues?
The PDPC found that Ncode was acting as a data intermediary for Victoria School and was therefore subject to the protection obligation under Section 24 of the PDPA. The PDPC noted that Ncode's scope of work included processing the personal data stored in the NTRIX system and that Ncode was in possession and control of that data.
In analyzing Ncode's compliance with the protection obligation, the PDPC found that Ncode had failed to implement reasonable security arrangements to protect the personal data. Specifically, the PDPC identified two key failures by Ncode:
1. Failure to detect and fix the SQL injection vulnerability in NTRIX, despite this being a well-known security threat and a requirement under the MOE IT security specifications. The PDPC found that Ncode's engineers lacked the necessary IT security knowledge and skills to properly use security scanning tools to identify and address such vulnerabilities.
2. Failure to properly encrypt or hash the passwords stored in NTRIX, instead using the easily reversible Base64 encoding. The PDPC noted that this was not a reasonable security arrangement, as the passwords could be easily decoded using publicly available tools.
The PDPC also found that the NTRIX system had other vulnerabilities, such as broken session management and cross-site scripting, which were undetected and could have further exposed the personal data to unauthorized access.
In the PDPC's view, these failures were due to the inexperience of Ncode's engineers in IT security, and Ncode's lack of proper training for its technical and security personnel, as required by the MOE IT security specifications.
What Was the Outcome?
Based on its findings, the PDPC concluded that Ncode had breached its obligations under Section 24 of the PDPA to implement reasonable security arrangements to protect the personal data in its possession.
The PDPC emphasized that the failure to prevent unauthorized modification of personal data, such as the students' examination results in this case, is a serious breach that can cause significant harm to affected individuals. While the unauthorized modifications were rectified by Victoria School and did not ultimately impact the students' grades, the PDPC noted that such modifications may not always be easily detected and could have serious consequences.
The PDPC did not impose any financial penalty on Ncode, as the company had taken prompt remedial actions after the incident, such as implementing two-factor authentication, fixing the SQL injection vulnerability, and improving its security scanning and testing procedures. However, the PDPC directed Ncode to continue reviewing and enhancing its data protection policies and practices to ensure compliance with the PDPA.
Why Does This Case Matter?
This case highlights the importance for organizations handling personal data, particularly sensitive information like student records, to have robust security measures in place to protect against unauthorized access and modification.
The PDPC's findings underscore the need for organizations to ensure their technical and security personnel are properly trained and equipped to identify and address common IT security vulnerabilities, such as SQL injection flaws. Relying on basic encoding methods like Base64 is not sufficient to protect sensitive passwords and other personal data.
The case also emphasizes that the failure to prevent unauthorized modification of personal data can be a serious breach of the PDPA, even if the impact is mitigated. Organizations must implement appropriate security controls to safeguard the integrity of the personal data in their possession.
This decision serves as a valuable precedent for organizations in the education sector and beyond, demonstrating the PDPC's expectations regarding data protection obligations and the potential consequences of non-compliance. It underscores the need for continuous vigilance and improvement of security practices to keep pace with evolving cyber threats.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 1
- [2017] SGPDPC 19
- [2018] SGPDPC 26
- [2019] SGPDPC 11
Source Documents
This article analyses [2019] SGPDPC 11 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.