Case Details
- Citation: [2019] SGPDPC 37
- Court: Personal Data Protection Commission
- Date: 2019-09-16
- Plaintiff/Applicant: Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd.
- Defendant/Respondent: N/A
- Legal Areas: Data protection – Protection obligation, Data protection – Accountability obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 37
- Judgment Length: 11 pages, 2,805 words
Summary
This case involves a data breach incident where the personal data of customers of Zero1 Pte. Ltd., a mobile virtual network operator, was inadvertently disclosed by its courier service provider, XDEL Singapore Pte Ltd. The key issue was whether Zero1 and XDEL (collectively referred to as the "Organisations") had made reasonable security arrangements to protect the personal data in their possession, as required under the Personal Data Protection Act 2012 (PDPA). The Personal Data Protection Commission (PDPC) found that both Organisations had failed to meet the protection obligation under the PDPA and imposed financial penalties on them.
What Were the Facts of This Case?
Zero1 Pte. Ltd. is a mobile virtual network operator founded in 2017. In order to deliver its SIM cards to customers, Zero1 contracted XDEL Singapore Pte Ltd, a courier service provider, to handle the deliveries. As part of this arrangement, Zero1 would provide XDEL with its customers' personal data, including their names, NRIC numbers, delivery addresses, and contact numbers. If a customer had authorized another person to receive the SIM card on their behalf, XDEL would also receive the authorized recipient's personal data.
Each Zero1 customer was provided with a unique URL link that would allow them to access a customized delivery notification webpage to monitor the status of their SIM card delivery. It was through these notification webpages that the customers' personal data was accessed.
In March 2018, during the first batch of SIM card deliveries, investigations revealed that there was unauthorized access to 175 of the 333 URLs containing the personal data of 292 individuals. These URLs were accessed by 82 unique IP addresses over a span of about 34 hours.
The unauthorized access was discovered after a post on an online forum warned users not to reveal their Zero1 account numbers, as it was possible to access another individual's delivery notification by determining their membership number, which was generated in sequential order.
What Were the Key Legal Issues?
The key legal issue in this case was whether Zero1 and XDEL had made reasonable security arrangements to protect the personal data of Zero1's customers, as required under Section 24 of the PDPA. The PDPC had to determine if the Organisations had breached their protection obligation under the PDPA.
How Did the Court Analyse the Issues?
The PDPC first established that the personal data in question was indeed "personal data" as defined in the PDPA, and that both Zero1 and XDEL were considered "organisations" under the Act. It was also not disputed that the protection obligation under Section 24 of the PDPA applied to both Organisations.
The PDPC then examined the security arrangements put in place by the Organisations to protect the personal data. In the case of Zero1, the PDPC found that the company had failed to make reasonable security arrangements. While Zero1 was aware of the use of the notification webpage and the type of personal data displayed on it, it had relied entirely on the warranty in the service agreement with XDEL and the customer references provided, without making any effort to identify potential risks or seek assurance that XDEL had taken steps to protect against those risks.
The PDPC noted that Zero1's lack of technical expertise in areas such as coding, cybersecurity, and data encryption did not excuse it from its obligation to identify foreseeable risks and work with XDEL to assess and mitigate them. The PDPC stated that what was required was not technical oversight, but rather the identification of potential risks and ensuring that XDEL had taken reasonable measures to address them.
As for XDEL, the PDPC found that the company had also failed to make reasonable security arrangements. The unauthorized access was made possible due to a flaw in the design of XDEL's notification webpage system, where the system would grant access if a partial code was presented, instead of requiring the complete code. This allowed individuals to access other customers' personal data by guessing the sequential subscriber numbers.
What Was the Outcome?
Based on its findings, the PDPC concluded that both Zero1 and XDEL had breached the protection obligation under Section 24 of the PDPA. The PDPC imposed financial penalties on both Organisations: Zero1 was fined $5,000, and XDEL was fined $16,000.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations, both data controllers and data intermediaries, taking reasonable security measures to protect personal data in their possession or under their control. The PDPC's decision emphasizes that organizations cannot simply rely on warranties or customer references, but must actively identify and mitigate potential risks, even if they lack technical expertise in certain areas.
The case also serves as a reminder that organizations must carefully design and test their systems and processes to prevent unauthorized access to personal data. The flaw in XDEL's notification webpage system, which allowed partial codes to grant access, demonstrates the need for robust security measures and thorough testing to anticipate and address potential vulnerabilities.
This decision sets an important precedent for organizations in Singapore, underscoring their obligations under the PDPA to protect personal data and the consequences they may face for failing to do so. It emphasizes that organizations must take a proactive and diligent approach to data protection, regardless of their technical capabilities, in order to comply with the law and safeguard the privacy of individuals.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 37
Source Documents
This article analyses [2019] SGPDPC 37 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.