Case Details
- Citation: [2019] SGPDPC 36
- Court: Personal Data Protection Commission
- Date: 2019-09-12
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Singapore Telecommunications Limited
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 36
- Judgment Length: 12 pages, 3,018 words
Summary
This case concerns a design flaw in a previous version of Singapore Telecommunications Limited's ("Singtel") mobile app, which resulted in the unauthorized disclosure of personal data belonging to Singtel's customers. The Personal Data Protection Commission (the "Commission") found that Singtel had breached its obligations under Section 24 of the Personal Data Protection Act 2012 ("PDPA") to make reasonable security arrangements to protect the personal data in its possession.
The Commission determined that Singtel failed to adequately validate the parameters sent from the mobile app to Singtel's servers, allowing an attacker to manipulate these parameters and gain unauthorized access to customers' personal data, including their names, billing addresses, account numbers, and service usage details. While Singtel had engaged a third-party security vendor to conduct regular penetration testing, the design flaw was not detected, and Singtel was unaware of the vulnerability.
The Commission emphasized that the design flaw, known as a "Direct Object Reference Vulnerability," was a relatively basic security risk that a reasonable organization should have addressed. Singtel was ordered to pay a financial penalty for its failure to implement reasonable security measures to protect its customers' personal data.
What Were the Facts of This Case?
Singtel is a telecommunications company in Singapore that offers a mobile app called "My Singtel" (the "Mobile App") to enable its customers to track their account information and manage add-on services. The Mobile App communicates with Singtel's servers through Application Programming Interfaces (APIs).
Customers can log in to the Mobile App using three methods: (1) Mobile Station International Subscriber Directory Number (MSISDN) login, where the app verifies the customer's mobile number and IP address; (2) One Time Password (OTP) login, where the customer enters an OTP sent via SMS; and (3) OnePass login, using the customer's Singtel OnePass credentials.
Depending on the login method, customers can access various personal data through the Mobile App, including their mobile number, service plan information, outstanding bill amount, bill payment due date, billing account number, name, billing address, and details of all Singtel services registered under their account.
In May 2017, the Commission received an anonymous tip alleging that the Mobile App had a vulnerability that allowed an attacker to access the account details of other Singtel customers. The investigation found that the vulnerability, known as a "Direct Object Reference Vulnerability," enabled an attacker to manipulate the parameters sent from the Mobile App to Singtel's servers during a valid login session.
Specifically, the attacker could change the MSISDN (mobile number) field in the API request to another customer's number, and then use the OnePass login method to access that customer's billing information, including their name, address, and service details. The Commission found that the personal data of approximately 330,000 Singtel customers was put at risk of unauthorized disclosure due to this vulnerability.
What Were the Key Legal Issues?
The key legal issue in this case was whether Singtel had complied with its obligations under Section 24 of the PDPA to protect the personal data of its customers. Section 24 requires organizations to "make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks" to personal data in their possession or control.
The Commission had to determine whether Singtel's security measures for the Mobile App, including its use of third-party penetration testing, were sufficient to meet the "reasonable security arrangements" standard under the PDPA. The Commission also had to consider whether Singtel's failure to address the known "Direct Object Reference Vulnerability" in the app's design constituted a breach of its protection obligations.
How Did the Court Analyse the Issues?
The Commission first confirmed that the personal data accessed through the Mobile App, such as customer names, billing addresses, account numbers, and service usage details, fell within the definition of "personal data" under the PDPA. It was also undisputed that Singtel, as the organization operating the Mobile App, was subject to the PDPA's requirements.
The Commission then examined Singtel's security measures for the Mobile App. While Singtel had engaged a third-party security vendor to conduct regular penetration testing, the Commission found that this was not sufficient to meet Singtel's obligations under Section 24. The Commission noted that the "Direct Object Reference Vulnerability" that led to the data breach was a relatively basic design issue and a well-known security risk that a reasonable organization should have addressed.
The Commission pointed to its own guidance in the "Guide to Building Websites for SMEs," which advises organizations to be aware of common website vulnerabilities, such as the Direct Object Reference Vulnerability, and to adopt appropriate programming techniques and practices to prevent personal data from being exposed. The Commission emphasized that the same principles apply to mobile app development, as the server's response to requests from a mobile app raises similar security concerns as a website.
In the Commission's view, Singtel failed to adequately validate the parameters sent from the Mobile App to its servers, which allowed an attacker to manipulate these parameters and gain unauthorized access to customers' personal data. The Commission rejected Singtel's argument that exploiting the vulnerability was "not something that a normal user of the App would attempt" and required a "technically competent" attacker, stating that the vulnerability was a basic design flaw that a reasonable organization should have addressed.
What Was the Outcome?
The Commission found that Singtel had breached its obligations under Section 24 of the PDPA by failing to make reasonable security arrangements to protect the personal data of its customers. The Commission ordered Singtel to pay a financial penalty for its failure to implement appropriate security measures to prevent the unauthorized access and disclosure of its customers' personal data.
Singtel subsequently took remedial actions to address the Direct Object Reference Vulnerability in the Mobile App, including enhancing the API to tightly couple the user's identifiers to the authenticated session. This prevented users from being able to modify the parameters during an authenticated session to access other customers' data.
Why Does This Case Matter?
This case highlights the importance of organizations, including those developing mobile apps, to be proactive in addressing known security vulnerabilities and implementing reasonable security measures to protect the personal data in their possession. The Commission's decision emphasizes that organizations cannot simply rely on third-party penetration testing to fulfill their obligations under the PDPA.
The case also provides guidance on the Commission's expectations regarding the "reasonable security arrangements" required by Section 24 of the PDPA. Organizations must be aware of common security risks and vulnerabilities, such as those identified by the Open Web Application Security Project (OWASP), and take appropriate steps to mitigate these risks during the design and development of their digital products and services.
This decision serves as a warning to organizations that they may face regulatory action and financial penalties if they fail to implement adequate security measures to protect the personal data in their possession. It underscores the need for organizations to proactively address security vulnerabilities, rather than waiting for a data breach to occur before taking remedial action.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 36
Source Documents
This article analyses [2019] SGPDPC 36 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.