Case Details
- Citation: [2023] SGPDPC 3
- Court: Personal Data Protection Commission
- Date: 2023-02-21
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: OrangeTee & Tie Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 26, [2021] SGPDPC 11, [2022] SGPDPC 1, [2023] SGPDPC 3
- Judgment Length: 14 pages, 3,061 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated OrangeTee & Tie Pte Ltd, a real estate enterprise in Singapore, for a breach of the Personal Data Protection Act 2012 (PDPA). The investigation centered on whether OrangeTee had failed to make reasonable security arrangements to protect the personal data in its possession, after a threat actor managed to exfiltrate databases containing sensitive customer and employee information.
The PDPC found that OrangeTee had breached its protection obligation under the PDPA in two key respects: (1) by using live production data for development and testing purposes without sufficient safeguards, and (2) by failing to implement adequate security measures to prevent unauthorized access to its IT systems. The PDPC ordered OrangeTee to pay a financial penalty for these breaches.
This case highlights the importance for organizations to carefully manage the use of personal data, even for internal purposes like testing and development, and to maintain robust security controls to prevent data breaches. It provides guidance on the PDPC's expectations around data anonymization, access controls, and regular security reviews.
What Were the Facts of This Case?
OrangeTee & Tie Pte Ltd is a real estate enterprise based in Singapore that has been in operation since 2000. On 4 August 2021, the PDPC was informed that a threat actor had managed to exfiltrate databases in OrangeTee's possession, which were believed to contain personal data.
Subsequently, on 6 August 2021, OrangeTee notified the PDPC of an incident involving unauthorized access to its IT network. The threat actor, identifying themselves as the 'ALTDOS' group, had sent OrangeTee a ransom demand, claiming to have stolen "hundreds of databases" containing sensitive information.
Investigations by a private forensic expert (PFE) engaged by OrangeTee revealed that the threat actor had indeed exfiltrated personal datasets from eleven databases, containing the personal data of 256,583 individuals - including employees, customers, and agents. The types of personal data exposed included names, NRIC/FIN/passport numbers, bank account numbers, and financial transaction details.
The PFE's analysis found that the threat actor had exploited vulnerabilities in OrangeTee's web servers to gain unauthorized access to the databases. Specifically, the Production Web Server was vulnerable to SQL injection attacks, while the Development Web Server had been compromised through cross-site scripting attacks.
What Were the Key Legal Issues?
The key legal issue in this case was whether OrangeTee had breached its obligation under Section 24 of the PDPA to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks (the "Protection Obligation").
The PDPC's investigation focused on two specific aspects of OrangeTee's data protection practices: (1) its use of live production data for development and testing purposes, and (2) the adequacy of its overall security measures to prevent unauthorized access to its IT systems.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that OrangeTee had used live production data, including personal data, for development and testing purposes without implementing sufficiently robust processes to protect the data. The PDPC noted that this practice creates a security risk, as test environments are typically less secured than production environments.
The PDPC referenced its own guidance in the Handbook on How to Guard Against Common Types of Data Breaches, which advises organizations to use anonymized or synthetic data for testing, rather than live production data. The PDPC also cited its previous decision in Re PINC Interactive Pte Ltd [2022] SGPDPC 1, where it had held that an organization had breached the Protection Obligation by using a dataset containing real users' personal data for testing.
The PDPC acknowledged that the use of live production data may be operationally necessary in some cases, but emphasized that organizations must implement sufficiently robust processes to safeguard the personal data in such situations. OrangeTee had failed to do so, exposing the personal data stored on its Development Servers to the threat actor's unauthorized access.
On the second issue, the PDPC found that OrangeTee had also breached the Protection Obligation by failing to implement adequate security measures to prevent the unauthorized access to its IT systems. Specifically, the PDPC noted that the Database Servers were running an outdated version of Microsoft SQL Server that was no longer supported by the vendor, leaving them vulnerable to exploitation.
The PDPC highlighted that organizations have a duty to regularly review and update their security measures to address evolving threats, but OrangeTee had failed to do so in a timely manner. This allowed the threat actor to successfully infiltrate OrangeTee's systems and exfiltrate the personal data stored on the Database Servers.
What Was the Outcome?
Based on its findings, the PDPC determined that OrangeTee had breached its Protection Obligation under the PDPA in two respects: (1) by using live production data for development and testing purposes without sufficient safeguards, and (2) by failing to implement adequate security measures to prevent unauthorized access to its IT systems.
As a result, the PDPC ordered OrangeTee to pay a financial penalty of S$74,000 for these breaches. The PDPC also directed OrangeTee to review and enhance its data protection practices, including by implementing more robust processes for the use of personal data in non-production environments and regularly reviewing and updating its security controls.
Why Does This Case Matter?
This case provides important guidance on the PDPC's expectations regarding organizations' obligations to protect personal data under the PDPA. It reinforces the PDPC's position that the use of live production data for testing and development purposes, without appropriate safeguards, constitutes a breach of the Protection Obligation.
The case also highlights the importance of maintaining robust and up-to-date security measures to prevent unauthorized access to personal data. Organizations must regularly review and enhance their security controls to address evolving threats, as failing to do so can result in significant consequences under the PDPA.
Practitioners advising clients on data protection compliance should take note of the PDPC's clear stance on these issues, as reflected in this decision and its previous guidance. They should work with their clients to ensure that appropriate data anonymization techniques and security controls are in place, particularly for sensitive personal data used in non-production environments.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2023] SGPDPC 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.