Case Details
- Citation: [2019] SGPDPC 34
- Court: Personal Data Protection Commission
- Date: 2019-08-30
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Marshall Cavendish Education Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: -
- Cases Cited: [2016] SGPDPC 6, [2018] SGPDPC 28, [2018] SGPDPC 4, [2019] SGPDPC 1, [2019] SGPDPC 34
- Judgment Length: 16 pages, 4,080 words
Summary
This case highlights the importance of making adequate security arrangements to protect personal data and limit the exposure of an organization's computer systems to potential online threats, such as ransomware attacks. The Personal Data Protection Commission (PDPC) found that Marshall Cavendish Education Pte Ltd (MCE) had breached its data protection obligations under the Personal Data Protection Act (PDPA) when a ransomware attack affected its network and exposed the personal data of over 250,000 users.
What Were the Facts of This Case?
MCE provided a learning management system (LMS) at www.mconline.com.sg to the Ministry of Education (MOE) schools under a contract between MCE and MOE. On 1 February 2017, a ransomware attack affected a substantial portion of MCE's network. The ransomware had encrypted files on 11 servers and network storage devices, including files containing the personal data of 206,240 active and 44,688 inactive users of the LMS.
The personal data stored on MCE's servers included users' login IDs (which comprised full or partial birth certificate or NRIC numbers), names, school names, schooling levels, and classes. Users could also optionally provide additional personal data such as email addresses, addresses, NRIC numbers, mobile numbers, and their parents' or guardians' information.
Investigations revealed that the primary cause of the incident was a change made by MCE's senior system engineer to a firewall rule, which allowed internet access to the backup server. This enabled an external perpetrator to gain entry into the system and upload and execute the ransomware. The system engineer had intended the firewall rule change to be temporary, but failed to reinstate the original rule, leaving the server continuously exposed to internet access.
What Were the Key Legal Issues?
The key legal issue was whether MCE had complied with its data protection obligations under section 24 of the Personal Data Protection Act (PDPA), which requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or similar risks.
There was also a preliminary issue of whether MCE could be considered a data intermediary acting on behalf of a public agency (the Ministry of Education) and thus be exempt from certain PDPA obligations under section 4(1)(c) of the Act.
How Did the Court Analyse the Issues?
The PDPC first determined that MCE was not acting on behalf of a public agency and was therefore subject to the full range of obligations under the PDPA, including the protection obligation under section 24.
The PDPC then examined the specific security failures that led to the breach of personal data. It found that MCE had not fulfilled its protection obligation under section 24 when viewed in totality. The PDPC highlighted several key failures:
1. The senior system engineer's failure to reinstate the original firewall rule after making a temporary change, leaving the backup server exposed to the internet.
2. The system engineer's prior installation of remote access software on the backup server, configuring it as a secondary remote desktop protocol (RDP) server, which increased the risk of unauthorized access.
The PDPC noted that as an organization, MCE was responsible for putting in place the necessary measures to prevent data breaches, and could not solely rely on its employees to perform their tasks diligently. The PDPC found that MCE's IT manager did not exercise adequate supervision over the IT team, as evidenced by issues such as the failure to remove user accounts of former staff and the lack of standard operating procedures for firewall configuration changes.
What Was the Outcome?
Based on its findings, the PDPC concluded that MCE had breached its data protection obligations under section 24 of the PDPA. The PDPC did not impose a financial penalty, as MCE had taken various remedial measures after the incident, including strengthening its security arrangements, improving user access controls, and hiring a dedicated IT security officer.
Why Does This Case Matter?
This case is significant as it underscores the importance of organizations making reasonable security arrangements to protect personal data, especially in the face of growing cybersecurity threats such as ransomware attacks. The PDPC's decision emphasizes that organizations cannot solely rely on their employees to maintain data security, but must take proactive steps to identify and mitigate risks, implement appropriate controls, and exercise proper supervision over their IT systems and personnel.
The case also highlights the need for organizations to have clear policies, procedures, and oversight mechanisms in place to manage changes to critical IT infrastructure, such as firewall configurations, which can have significant implications for data security. Failure to do so can result in breaches of data protection obligations, even if no actual data exfiltration occurs.
This judgment serves as a valuable precedent for organizations in Singapore to review and strengthen their data protection practices, particularly in the areas of access control, change management, and IT security governance. It reinforces the PDPC's stance that organizations will be held accountable for lapses in their data protection measures, regardless of whether actual harm has occurred.
Legislation Referenced
- Personal Data Protection Act (PDPA)
Cases Cited
- [2016] SGPDPC 6
- [2018] SGPDPC 28
- [2018] SGPDPC 4
- [2019] SGPDPC 1
- [2019] SGPDPC 34
Source Documents
This article analyses [2019] SGPDPC 34 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.