Case Details
- Citation: [2019] SGPDPC 49
- Court: Personal Data Protection Commission
- Date: 2019-12-31
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Singapore Telecommunications Limited
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 49
- Judgment Length: 5 pages, 1,273 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Singapore Telecommunications Limited (the "Organisation") had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its subscribers. Due to a technical issue during the migration of its customer database, the Organisation's mobile application allowed certain subscribers to access the personal information of other subscribers, including their mobile numbers, plan details, usage information, and account numbers.
The PDPC determined that the Organisation had failed to conduct thorough testing and anticipate likely scenarios, which led to the unauthorized disclosure of the personal data of 39 subscribers. While the Organisation took prompt action to mitigate the impact, the PDPC imposed a financial penalty of $9,000 on the Organisation for its breach of the PDPA's protection obligation.
The case highlights the importance of robust data protection measures and rigorous testing during system migrations to prevent unauthorized access and disclosure of personal information, even in the face of unexpected technical issues.
What Were the Facts of This Case?
On 21 February 2018, the PDPC received a complaint from an individual mobile subscriber of the Organisation, alleging that they were able to view the personal information of another subscriber when accessing their account details through the Organisation's "MySingTel" mobile application (the "App").
The PDPC's investigation revealed that the incident occurred during the Organisation's migration of its mobile customer account database from its existing billing system (the "Existing System") to a new billing system (the "New System"). Due to a technical issue, certain mobile subscribers were able to view the personal data of other subscribers when using the App for a period of approximately 11 hours on 20 February 2018.
The specific cause of the incident was that when a subscriber logged into the App, the App would query the Organisation's Master Routing Database ("MRD") to check if the subscriber's data had been migrated and then route the query to the relevant billing system. However, due to slow response times, queries by the MRD to the Existing System encountered timeouts. When these timeouts occurred, even if the subscriber had been migrated to the New System, the query would default to the Existing System.
If the subscriber had a "historical number" (such as a temporary "dummy number" issued during a number porting process), the service information associated with both the current mobile number and the historical number would be retrieved and made available to the subscriber. If the historical number had been reassigned to another subscriber (the "Affected Subscriber"), the service information of the Affected Subscriber would also be retrieved and accessible to the original subscriber.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had complied with its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its subscribers.
Section 24 of the PDPA requires an organisation to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks."
The PDPC had to determine whether the Organisation had taken reasonable security measures to prevent the unauthorized access and disclosure of the personal data of its subscribers that occurred during the technical issue with the database migration.
How Did the Court Analyse the Issues?
In its analysis, the PDPC acknowledged that the Organisation had not intended for the MRD to route queries to the Existing System in the event of a timeout, and that its intention was for an error message to be displayed instead. The PDPC gave the Organisation the benefit of the doubt on this point.
However, the PDPC found that the Organisation had failed to carry out more thoroughly scoped tests to ensure that the use of "dummy numbers" during the number porting process did not produce any unintended effects. Additionally, the PDPC determined that the Organisation's test plan should have anticipated likely scenarios, such as session timeouts, to discover the potential for the erroneous retrieval and unauthorized disclosure of the Affected Subscribers' personal data.
The PDPC rejected the Organisation's argument that the combination of factors leading to the incident was "obscure", finding that session timeouts and the use of dummy numbers were foreseeable and the combination of factors was not obscure. The PDPC stated that if the Organisation had conducted more comprehensive testing, it could have discovered and prevented the unauthorized disclosure of the Affected Subscribers' personal data.
What Was the Outcome?
Based on its findings, the PDPC determined that the Organisation had breached Section 24 of the PDPA by failing to make reasonable security arrangements to prevent the unauthorized access and disclosure of the personal data of its subscribers.
In determining the appropriate directions to impose on the Organisation, the PDPC took into account several mitigating factors, including the Organisation's cooperation during the investigation, its prompt action to implement a temporary fix within 11 hours, and the fact that only 39 subscribers' personal data were actually accessed, out of the 750 subscribers whose data was at risk.
Ultimately, the PDPC directed the Organisation to pay a financial penalty of $9,000 within 30 days. The PDPC did not impose any further directions, as the Organisation had completed its database migration and there were no further risks to the personal data arising from the retrieval of subscriber information from the Existing System.
Why Does This Case Matter?
This case is significant for several reasons:
Firstly, it underscores the importance of robust data protection measures and rigorous testing during system migrations or other major IT changes. Even with the best intentions, technical issues can arise that can lead to the unauthorized disclosure of personal data. Organisations must anticipate and plan for such scenarios to ensure the continued protection of their customers' personal information.
Secondly, the case highlights the PDPC's approach to assessing compliance with the PDPA's protection obligation. The PDPC will not simply accept an organisation's assertion that an incident was caused by an "obscure" combination of factors. Instead, the PDPC will scrutinize whether the organisation has taken reasonable steps to foresee and mitigate potential risks to personal data, even in the face of unexpected technical challenges.
Finally, the financial penalty imposed on the Organisation serves as a reminder to all organisations handling personal data in Singapore of the consequences of failing to meet their data protection obligations. While the penalty in this case was relatively modest, the PDPC has shown its willingness to impose more substantial fines for serious or repeated breaches of the PDPA.
Overall, this case provides valuable guidance for organisations on the importance of proactive data protection measures, thorough testing, and anticipating potential risks to personal data, especially during periods of significant IT change or system migration.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 49
Source Documents
This article analyses [2019] SGPDPC 49 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.