Case Details
- Citation: [2020] SGPDPC 5
- Court: Personal Data Protection Commission
- Date: 2020-02-04
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Royal Caribbean Cruises (Asia) Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 22, [2019] SGPDPC 5, [2019] SGPDPC 26, [2019] SGPDPC 3, [2020] SGPDPC 5
- Judgment Length: 6 pages, 1,620 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Royal Caribbean Cruises (Asia) Pte. Ltd. (the "Organisation") had failed to implement reasonable security measures to protect the personal data of its customers and employees, in breach of section 24 of the Personal Data Protection Act 2012 (PDPA). The breach occurred when the Organisation's electronic receipt system, hosted on an Amazon Web Services (AWS) server, was subject to a cyber-attack that resulted in the deletion of the database and exposure of customer and employee data to unauthorized access.
The PDPC imposed a financial penalty of $16,000 on the Organisation, taking into account the Organisation's cooperation and prompt remedial actions. The case highlights the importance of organisations implementing robust security measures, including regular software patching, to protect the personal data in their possession or control.
What Were the Facts of This Case?
In early 2017, the Organisation engaged an IT vendor (the "IT Vendor") to develop and supply an electronic receipt system (the "Receipt System") to generate and store electronic receipts for payments made by the Organisation's customers for cruise and holiday bookings. The initial plan was for the Receipt System to be hosted on the Organisation's internal server, but after considering that the system would need to be accessed from external IP addresses during events and roadshows, the Organisation asked the IT Vendor to host the Receipt System on an AWS server.
On 11 April 2019, the Organisation encountered difficulties operating the Receipt System and reported the issue to the IT Vendor. The next day, the IT Vendor informed the Organisation that the Receipt System had been subject to a cyber-attack. The cyber-attacker had deleted the database in the Receipt System and replaced it with a ransom message demanding payment to recover the deleted data.
The personal data affected by the incident included the receipt details, payment information, and contact details of 6,004 of the Organisation's customers ("Affected Customers"). For 440 of these Affected Customers who had completed an online check-in process, additional personal data such as nationality, residential address, and passport details were also placed at risk of unauthorized access.
In addition, the personal data of 25 employees of the Organisation, including their names, system usernames and passwords, email addresses, and mobile numbers, were also affected by the incident.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had contravened section 24 of the PDPA, which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
The PDPC had to determine whether the Organisation had implemented reasonable security measures to protect the customer and employee data stored in the Receipt System, or whether the vulnerabilities and gaps in the system's security arrangements amounted to a breach of the Organisation's obligations under the PDPA.
How Did the Court Analyse the Issues?
The PDPC first established that the Organisation, as the owner and user of the Receipt System, had possession and control over the customer and employee data at all material times. While the IT Vendor was engaged to develop the system, the PDPC found that the IT Vendor had not processed the data on the Organisation's behalf and was therefore not a data intermediary. The responsibility for protecting the data rested solely with the Organisation as the data controller.
The PDPC then examined the specific security vulnerabilities in the Receipt System that led to the cyber-attack and data breach. It found that the administrative credentials (username and password) to access the system were stored in files within the same server with no access controls, making them publicly accessible. Additionally, the version of the phpMyAdmin tool used in the Receipt System was not patched and contained known security vulnerabilities.
The PDPC rejected the Organisation's argument that it was the IT Vendor's responsibility to implement appropriate security measures, noting that the Organisation had not engaged the IT Vendor to provide security maintenance or patching services. As the data controller, the Organisation was ultimately responsible for ensuring the security of the personal data in the Receipt System.
The PDPC concluded that the Organisation's failure to implement basic security measures, such as properly securing the administrative credentials and regularly patching the system to address known vulnerabilities, resulted in a standard of protection that fell far short of what was required under section 24 of the PDPA.
What Was the Outcome?
The PDPC found the Organisation in breach of section 24 of the PDPA and directed it to pay a financial penalty of $16,000 within 30 days. The PDPC took into account the Organisation's cooperation with the investigation and the prompt remedial actions it took, such as changing the phpMyAdmin web application name, adding IP address restrictions, and engaging a cybersecurity consultant to conduct forensic investigations and identify vulnerabilities.
The PDPC did not impose any further directions, as the Organisation had already taken the necessary steps to address the security issues and prevent similar incidents from occurring in the future.
Why Does This Case Matter?
This case is significant as it reinforces the importance of organisations implementing robust security measures to protect the personal data in their possession or control, as required by the PDPA. The PDPC's decision highlights that simply engaging a third-party vendor to develop or host a system is not enough to absolve an organisation of its data protection obligations.
The case emphasizes that organisations must have a clear understanding of the scope of services provided by their vendors and ensure that the necessary security measures are in place, including regular software patching and access controls. Failure to do so can result in serious consequences, such as the financial penalty imposed in this case, as well as potential reputational damage and loss of customer trust.
This decision also builds on the PDPC's previous guidance on the importance of security measures, such as regular patching, to address known vulnerabilities and prevent data breaches. Organisations should take note of these principles and ensure that their data protection practices are in line with the PDPA's requirements.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22
- [2019] SGPDPC 5
- [2019] SGPDPC 26
- [2019] SGPDPC 3
- [2020] SGPDPC 5
Source Documents
This article analyses [2020] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.