Case Details
- Citation: [2022] SGPDPC 2
- Court: Personal Data Protection Commission
- Date: 2022-02-08
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Quoine Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 18, [2018] SGPDPC 26, [2019] SGPDPC 47, [2020] SGPDPCS 11, [2021] SGPDPC 11, [2022] SGPDPC 2
- Judgment Length: 12 pages, 3,101 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated Quoine Pte Ltd, a Singapore-based cryptocurrency exchange, for failing to implement reasonable security arrangements to protect the personal data of over 650,000 of its customers. The PDPC found that Quoine had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by failing to properly secure access to its cloud computing platform, which led to an external actor gaining unauthorized access and exfiltrating the customers' personal data.
What Were the Facts of This Case?
Quoine Pte Ltd is a Singapore-based company that operates a global cryptocurrency exchange under the "Liquid" brand. At the time of the incident, Quoine's IT infrastructure included a vendor-procured cloud computing platform that hosted its cryptocurrency exchange platform and database, as well as additional cloud storage used to store customer documents.
Quoine had engaged a third-party domain name registrar, the "Domain Provider", to register and host its domain (@quoine.com). On 13 November 2020, Quoine staff received emails from the Domain Provider indicating that changes had been made to the settings of Quoine's domain hosting account, which Quoine had not requested.
Investigations revealed that, through social engineering attacks on the Domain Provider's employees, an external actor had gained control of Quoine's domain hosting account. This allowed the external actor to redirect Quoine's email traffic to their own servers, initiate password resets for Quoine's services, and ultimately access Quoine's cloud computing platform using a privileged "DevOps Account". The external actor then accessed and exfiltrated the personal data of 652,564 of Quoine's customers, including sensitive information such as identification documents, financial details, and transaction records.
What Were the Key Legal Issues?
The key legal issue in this case was whether Quoine had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA), which requires organizations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks".
Specifically, the PDPC had to determine whether Quoine had failed to implement reasonable security arrangements to protect the personal data of its customers that was accessed and exfiltrated in the incident.
How Did the Court Analyse the Issues?
The PDPC noted that as a global cryptocurrency exchange regularly dealing with a large volume of sensitive personal data, Quoine was required to have a heightened data protection and cybersecurity posture. Given the nature and sensitivity of the customer data in its possession, which included financial information, identification documents, and transaction records, Quoine was obligated to implement strong security arrangements to protect this data.
The PDPC found that Quoine had failed to do so in two key respects: (1) it failed to review and assess the security implications and risks of the privileged "DevOps Account" that was ultimately compromised, and (2) it failed to implement reasonable access controls and security measures for this account.
The PDPC emphasized the importance of organizations conducting regular, correctly-scoped security reviews to detect vulnerabilities and ensure reasonable security arrangements are in place. In previous decisions, the PDPC had highlighted this as a key requirement under the PDPA's protection obligation. By failing to properly review the DevOps Account, Quoine had overlooked the security risks it posed and the need for stronger access controls.
Additionally, the PDPC found that Quoine's implementation of access controls for the DevOps Account was inadequate. The PDPC noted that measures such as adopting stronger authentication (e.g. two-factor authentication) and imposing appropriate access restrictions are crucial for protecting sensitive personal data.
What Was the Outcome?
The PDPC found that Quoine had breached its obligations under Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of its customers. As a result of these failures, the personal data of over 650,000 customers was accessed and exfiltrated by an unauthorized external actor.
While the PDPC acknowledged that the initial breach occurred at the Domain Provider level, it determined that the protection obligation for the customer data rested solely with Quoine, and that Quoine's security failures led to the unauthorized disclosure.
Why Does This Case Matter?
This case is significant as it reinforces the PDPC's expectations for organizations handling sensitive personal data, particularly in the financial technology sector. The PDPC has made it clear that organizations must have a heightened data protection and cybersecurity posture commensurate with the nature and sensitivity of the personal data they hold.
The decision highlights the importance of conducting regular, comprehensive security reviews to identify and address vulnerabilities, as well as the need for robust access controls and security measures for privileged accounts and systems. Organizations cannot simply rely on third-party service providers to protect their data; they must take full responsibility for the security of the personal information in their possession.
This case serves as a warning to businesses that they will be held accountable for failing to implement reasonable security arrangements to protect their customers' personal data, even if the initial breach occurs through a third-party service provider. It underscores the PDPC's commitment to enforcing the PDPA's protection obligation and ensuring organizations take appropriate steps to safeguard sensitive personal information.
Legislation Referenced
- Advisory Guidelines on Key Concepts in the Personal Data Protection Act
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 18
- [2018] SGPDPC 26
- [2019] SGPDPC 47
- [2020] SGPDPCS 11
- [2021] SGPDPC 11
- [2022] SGPDPC 2
Source Documents
This article analyses [2022] SGPDPC 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.