Ninja Logistics Pte Ltd [2019] SGPDPC 39

Case Details

• Citation: [2019] SGPDPC 39
• Court: Personal Data Protection Commission
• Date: 2019-10-14
• Judges: Tan Kiat How, Commissioner
• Plaintiff/Applicant: N/A
• Defendant/Respondent: Ninja Logistics Pte Ltd
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2016] SGPDPC 1, [2016] SGPDPC 6, [2019] SGPDPC 27, [2019] SGPDPC 39
• Judgment Length: 8 pages, 2,262 words

Summary

This case concerns a complaint received by the Personal Data Protection Commission (PDPC) about the potential unauthorized access to customer personal data through the delivery order tracking function on the website of Ninja Logistics Pte Ltd, a logistics company. The PDPC found that Ninja Logistics had failed to implement reasonable security arrangements to protect the personal data of its customers, in contravention of the Personal Data Protection Act 2012 (PDPA). The PDPC imposed a financial penalty on Ninja Logistics for this breach.

What Were the Facts of This Case?

Ninja Logistics Pte Ltd (the "Organisation") is a logistics company that provides packaging, delivery, and tracking services on behalf of retailers ("Retailers") to the Retailers' customers ("Customers"). In December 2014, the Organisation set up a delivery order tracking function on its website (the "Tracking Function Page") to allow Customers to check the delivery status of their parcels and confirm the identity of individuals who collected parcels on their behalf.

The Organisation used two types of tracking IDs for the Tracking Function Page: sequential and non-sequential. According to the Organisation, the sequential tracking IDs were used for recording and business analytics purposes. The Organisation was aware that the tracking IDs could potentially be manipulated by changing the last few digits, which could result in unauthorized access to customer personal data.

For a period of approximately 3 months after the launch of the Tracking Function Page, the Organisation unsuccessfully experimented with two methods to add a second layer of authentication to the tracking IDs, such as using the last 4 digits of a customer's mobile number or the customer's last name. However, the Organisation ceased using these additional authentication methods in 2015 due to difficulties in implementation.

Depending on the delivery status of the parcel, the Tracking Function Page could disclose the following personal data of customers ("Disclosed Data"): (a) for parcels with a "Pending Pickup" status, only the tracking ID; (b) for parcels with an "On Vehicle for Delivery" status, the tracking ID and the customer's address; and (c) for parcels with a "Completed" status, the tracking ID, the customer's address, and the name and signature of the customer or other individual who collected the parcel.

The Organisation did not have any procedures to remove records of completed deliveries (i.e., those with the "Completed" status) from the Tracking Function Page. The Organisation estimated that, at the time of the incident, there were 1,262,861 unique individuals with valid tracking IDs at the "Completed" status (the "Affected Individuals").

What Were the Key Legal Issues?

The key legal issue in this case was whether Ninja Logistics had contravened Section 24 of the Personal Data Protection Act 2012 (PDPA), which requires an organization to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

How Did the Court Analyse the Issues?

The PDPC Commissioner found that Ninja Logistics had failed to put in place reasonable security arrangements to protect the personal data of its customers, for two main reasons:

First, despite being aware from the outset that the tracking IDs could be manipulated to gain unauthorized access to customer personal data, Ninja Logistics failed to operationalize an effective method of second-layer authentication. The Commissioner found this failure to be "inexcusable", given the foreseeable risk of using tracking IDs as the sole means of accessing the Tracking Function Page.

Secondly, Ninja Logistics did not have a procedure to remove the customer personal data from the Tracking Function Page after the completion of a delivery. The Commissioner noted that Ninja Logistics could have easily implemented a system to automatically expire the tracking IDs after a fixed period, which would have significantly reduced the risk of unauthorized access and disclosure.

In considering Ninja Logistics' representations, the Commissioner acknowledged that the company had archived a significant number of tracking IDs in August 2016, reducing the period during which the personal data was exposed to risk. However, the Commissioner found that this was a one-off exercise, and Ninja Logistics still failed to have proper procedures in place to remove records of completed deliveries in a timely manner.

The Commissioner also considered Ninja Logistics' arguments that keeping the personal data accessible was intended to provide an additional feature for Retailers and Customers, and that the names in the personal data were not full names and were "less sensitive" than in other cases. However, the Commissioner found that these factors had already been taken into account in determining the quantum of the financial penalty.

What Was the Outcome?

The PDPC Commissioner found that Ninja Logistics had contravened Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of its customers. The Commissioner imposed a financial penalty of S$90,000 on Ninja Logistics for this breach.

Why Does This Case Matter?

This case highlights the importance of organizations implementing appropriate security measures to protect the personal data they collect and process, in accordance with the requirements of the PDPA. The PDPC's decision underscores that organizations cannot rely solely on the use of identifiers (such as tracking IDs) as the sole means of accessing personal data, and must have robust security controls in place to prevent unauthorized access.

The case also demonstrates the PDPC's willingness to impose significant financial penalties on organizations that fail to meet their data protection obligations, even in the absence of evidence of actual data breaches or misuse. The size of the penalty in this case, which exceeded S$50,000, serves as a strong deterrent for organizations to take their data protection responsibilities seriously.

Practitioners advising organizations on data protection compliance should take note of the PDPC's findings in this case, particularly the importance of implementing effective authentication mechanisms and having appropriate data retention policies to minimize the risk of unauthorized access to personal data.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2016] SGPDPC 1 (Re K Box Entertainment Group Pte Ltd)
• [2016] SGPDPC 6 (Re Challenger Technologies Limited and others)
• [2019] SGPDPC 27 (Re Horizon Fast Ferry Pte Ltd)
• [2019] SGPDPC 39 (Ninja Logistics Pte Ltd)

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 39 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.