Case Details
- Citation: [2022] SGPDPC 8
- Court: Personal Data Protection Commission
- Date: 2022-10-28
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: RedMart Limited
- Legal Areas: Data Protection – Protection obligation, Data Protection – Financial penalty
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2016] SGPDPC 15, [2019] SGPDPC 31, [2022] SGPDPC 6, [2022] SGPDPC 8
- Judgment Length: 22 pages, 5,154 words
Summary
This case involves an investigation by the Singapore Personal Data Protection Commission (the "Commission") into a data breach incident at RedMart Limited (the "Organisation"). The Commission found that the Organisation had breached its obligation under section 24 of the Personal Data Protection Act 2012 ("PDPA") to protect the personal data of its customers and sellers by failing to implement reasonable security measures. As a result, an unidentified threat actor was able to gain unauthorized access to a database containing the personal information of nearly 900,000 individuals. The Commission imposed a financial penalty on the Organisation for its failure to comply with the PDPA's protection obligation.
What Were the Facts of This Case?
RedMart Limited was an online platform that sold groceries and fresh produce to consumers in Singapore. In 2016, the Organisation was acquired by Lazada Group ("Lazada"). After the acquisition, the Organisation began integrating its platform with Lazada's online platform.
Prior to the acquisition, the Organisation's business applications and customer data were stored in RedMart's Amazon Web Services Virtual Public Cloud (the "AWS Environment"). The personal data of its customers and sellers was stored in a MongoDB database within RedMart's Alibaba Virtual Public Cloud (the "RedMart Cloud"). The Organisation did not encrypt the MongoDB database or implement any password authentication requirements to access it.
After the acquisition, the Organisation's intention was to migrate all relevant databases and applications from the AWS Environment into the RedMart Cloud to facilitate integration with Lazada's systems. However, this migration was not completed by March 2019, when the Organisation's customer-facing website and mobile application ceased operations. At that time, the front-end systems were migrated to the RedMart Cloud, but the back-end business applications and the MongoDB database (the "Affected Database") remained in the AWS Environment, connected to the RedMart Cloud via an OpenVPN connection.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligation under section 24 of the PDPA to protect the personal data of its customers and sellers by taking reasonable security steps or arrangements to prevent unauthorized access and disclosure.
Specifically, the Commission investigated the security measures implemented by the Organisation to safeguard the Affected Database, which contained sensitive personal information such as names, email addresses, contact numbers, residential addresses, partial credit card details, and hashed account passwords.
How Did the Court Analyse the Issues?
In determining whether the Organisation had breached its protection obligation under the PDPA, the Commission considered the nature of the personal data in the Affected Database and the potential impact that its disclosure could have on the affected individuals.
The Commission found that the Organisation had failed to implement reasonable security measures to protect the Affected Database. Specifically:
1. The Organisation did not encrypt the MongoDB database or implement any password authentication requirements to access it, despite the sensitive nature of the personal data it contained.
2. The Organisation's IT infrastructure was structured in a way that allowed a threat actor to gain unauthorized access to the Affected Database. The threat actor was able to exploit vulnerabilities in the Organisation's GitHub repositories, AWS Environment, and the OpenVPN connection between the AWS Environment and the RedMart Cloud.
The Commission noted that the Organisation's failure to implement reasonable security measures was a serious breach, as it allowed the threat actor to access and exfiltrate a large trove of personal data belonging to nearly 900,000 individuals.
What Was the Outcome?
Based on its findings, the Commission determined that the Organisation had breached its protection obligation under section 24 of the PDPA. The Commission imposed a financial penalty of S$90,000 on the Organisation for its failure to comply with the PDPA.
In determining the appropriate penalty, the Commission took into account the Organisation's voluntary admission of liability, its cooperation during the investigation, and the remedial measures it had implemented to mitigate the effects of the incident and prevent similar incidents in the future.
Why Does This Case Matter?
This case highlights the importance of organizations implementing robust security measures to protect the personal data in their possession or under their control, as required by the PDPA. The Commission's decision sends a clear message that failure to comply with the protection obligation can result in significant financial penalties.
The case also provides valuable guidance on the types of security measures that organizations should consider implementing to safeguard sensitive personal data, such as encryption, access controls, and network segmentation. The Commission's analysis of the Organization's IT infrastructure and the vulnerabilities that allowed the threat actor to gain unauthorized access offers insights that can help other organizations assess and improve their own data security practices.
Furthermore, this case underscores the need for organizations to carefully manage the integration of IT systems and data migration processes, particularly when undergoing corporate acquisitions or restructuring. Failure to do so can expose personal data to significant risks of unauthorized access and disclosure.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 15
- [2019] SGPDPC 31
- [2022] SGPDPC 6
- [2022] SGPDPC 8
Source Documents
This article analyses [2022] SGPDPC 8 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.