Case Details
- Citation: [2023] SGPDPC 12
- Court: Personal Data Protection Commission
- Date: 2024-05-23
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: PPLingo Pte Ltd
- Legal Areas: Data Protection – Protection obligation, Data Protection – Accountability obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 15, [2020] SGPDPCR 1, [2022] SGPDPC 1, [2022] SGPDPC 3, [2022] SGPDPC 8, [2022] SGPDPC 9, [2022] SGPDPCS 14, [2023] SGPDPC 12
- Judgment Length: 19 pages, 3,384 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated PPLingo Pte Ltd, an online education platform operator, for breaching its obligations under the Personal Data Protection Act 2012 (PDPA) in relation to a data breach incident. The PDPC found that PPLingo had failed to implement adequate security measures to protect the personal data of its users, including students, parents, teachers, and staff, which led to unauthorized access by a threat actor. The PDPC determined that PPLingo had breached its obligations under Sections 11(3) and 24 of the PDPA.
What Were the Facts of This Case?
PPLingo Pte Ltd (the "Organisation") operates an online Chinese and English language learning platform called LingoAce, which offers virtual classes to students aged 4 to 15 years old globally. The LingoAce platform incorporates an operations support system ("OPS System") that stores the personal data of the Organisation's students, parents, teachers, and other staff.
On 8 May 2022, the Organisation notified the PDPC of a data breach incident involving unauthorized access to the personal data contained within the OPS System. The Organisation engaged a private forensic expert ("PFE") to investigate the incident, and the PFE's findings revealed that sometime between 26 April 2022 to 27 April 2022, a threat actor had obtained the password of an administrator account of the OPS System ("Compromised Admin Account") through brute force attacks. The password for the Compromised Admin Account was "lingoace123".
Using the Compromised Admin Account, the threat actor created several new accounts with administrator privileges to the OPS System and used these accounts to access the personal data of 557,144 users, including students, parents, teachers, and other staff (both current and former). The personal data accessed included names, dates of birth, contact information, financial information, and other sensitive details. However, there was no evidence of any data modification or exfiltration.
What Were the Key Legal Issues?
The key legal issues in this case were whether the Organisation had breached its obligations under Section 24 of the PDPA to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, and whether the Organisation had breached its obligation under Section 11(3) of the PDPA to appoint a data protection officer (DPO).
How Did the Court Analyse the Issues?
In analyzing the Organisation's breach of the protection obligation under Section 24 of the PDPA, the PDPC noted that the Organisation had implemented certain security measures for the LingoAce platform, including network access control, firewall protection, and internal security awareness training for its IT development team. However, the PDPC found that the Organisation's password policy for the Compromised Admin Account was inadequate, which led to the successful brute force attack by the threat actor.
Specifically, the PDPC identified the following deficiencies in the Organisation's password policy:
- There was no requirement for the password to expire or be changed regularly. The password "lingoace123" had been in use since March 2020, over 2 years before the incident.
- There were no requirements for a minimum level of password complexity, such as a combination of numbers, symbols, and uppercase and lowercase characters. The password "lingoace123" was easily guessable.
- The password incorporated the Organisation's name and a common sequence of numbers, making it vulnerable to brute force attacks.
The PDPC emphasized that a robust password policy is a key security measure that an organisation must have in place to ensure its IT systems are not vulnerable to common hacking attempts. The PDPC found that the Organisation's failure to implement an adequate password policy for the Compromised Admin Account was a serious lapse that breached its protection obligation under Section 24 of the PDPA.
Regarding the Organisation's breach of the accountability obligation under Section 11(3) of the PDPA, the PDPC noted that the Organisation had not appointed a DPO when it notified the PDPC of the incident. The PDPC determined that this was a contravention of the Organisation's accountability obligation under the PDPA.
What Was the Outcome?
The PDPC found that the Organisation had breached its obligations under Sections 11(3) and 24 of the PDPA. The PDPC did not impose a financial penalty on the Organisation, as it had voluntarily and unequivocally admitted to the contraventions and taken comprehensive remedial actions to mitigate the incident and prevent similar occurrences in the future.
The remedial actions taken by the Organisation included engaging a forensic expert, resetting passwords, implementing two-factor authentication, enhancing password requirements, appointing a DPO, notifying affected users, and improving its overall data protection and security practices.
Why Does This Case Matter?
This case highlights the importance of organizations implementing robust and comprehensive data protection and security measures, particularly in relation to password management, to fulfill their obligations under the PDPA. The PDPC's findings emphasize that a weak password policy can leave an organization's systems vulnerable to common hacking attempts, such as brute force attacks, which can lead to unauthorized access to sensitive personal data.
The case also underscores the PDPC's focus on holding organizations accountable for their data protection practices, including the appointment of a DPO as required by the PDPA. The PDPC's decision in this case serves as a reminder to organizations to review and strengthen their data protection measures to ensure compliance with the PDPA and to protect the personal data in their possession or control.
Legislation Referenced
Cases Cited
- [2017] SGPDPC 15
- [2020] SGPDPCR 1
- [2022] SGPDPC 1
- [2022] SGPDPC 3
- [2022] SGPDPC 8
- [2022] SGPDPC 9
- [2022] SGPDPCS 14
- [2023] SGPDPC 12
Source Documents
This article analyses [2023] SGPDPC 12 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.