For learning and prevention: 3 case studies [v.2 – 1 Aug 2019]
The first government judgment and warning relates to the popular messaging app, WhatsApp. The second judgment and fine involves email. The final judgment and warning concerns website security.
2 One of the many preschools under the Organisation’s management is the Sparkletots @ Kampong Chai Chee centre (the “preschool”). In the course of the year, the preschool would organise various school trips, sometimes with the participation of the parents. In preparation for these trips, the preschool would collect the parents’ personal data (including NRIC numbers) to allow for verification of the parents’ identity on the day of the trip.
3 The present investigations arise from one such school trip. A few days before the trip was scheduled to take place, a teacher at the preschool sent a photograph of a consolidated attendance list to a “WhatsApp” chat group, reminding parents of the upcoming school trip. The attendance list contained personal data relating to the 15 students in that particular class and their parents, and included the contact numbers and NRIC numbers of five of the parents (the “Personal Data”). The “WhatsApp” chat group comprised… parents of students from that class.
4 The teacher who sent the photograph of the attendance list quickly deleted it after being alerted to the disclosure of personal data by one of the parents within the group chat. That same parent later lodged a complaint with the Personal Data Protection Commission (“PDPC”). The PDPC thereafter commenced investigations into the incident…
8 After a review of all the evidence obtained by PDPC during its investigation and for the reasons set out below, I am of the view that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession and control, and has thereby breached the Protection Obligation under section 24 of the PDPA. This breach is attributable primarily to the Organisation’s lack of specific policies or procedures in place to guide its employees on the use, handling and disclosure of personal data, especially in the context of communicating with parents…
16 To its credit, the Organisation also acted swiftly to address their inadequate policies – a response which, in my assessment, carries mitigating value. The following remedial actions taken by the Organisation have therefore been taken into account:
(a) Immediate suspension of all “WhatsApp” chat groups following the disclosure;
(b) Expedited the implementation of a set of “Social Media Policy / Whatsapp chat group rules” that was already under development when the breach occurred;
(c) Rolled out a suite of other policies across the Organisation including a “Document Retention Policy” and an “Information Security Policy”; and
(d) Undertook the development of a practical employee handbook and conducted refresher training for its employees.
17 Having considered all the relevant factors of the case, I am of the view that these remedial actions have sufficiently addressed the current gap in policies and practices relating to the handling of personal data by the Organisation’s employees. I have therefore decided to issue a warning to the Organisation for breaching its obligations under section 24 of the PDPA, without further directions or imposing a financial penalty.
PAP Community Foundation  SGPDPC6 (CaseNoDP-1807-B2434). Personal Data Protection Commission. (23 Apr 2019). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—PAP-Community-Foundation—230419.pdf. Singapore.
2 On 27 November 2017, the Personal Data Protection Commission (the “Commission”) received notification from the Institute of Singapore Chartered Accountants (“ISCA”) that one of its employees inadvertently sent an email attaching a Microsoft Excel document containing personal data of 1,906 individuals (the “Excel File”) to an unintended recipient (the “Incident”)…
5 On or about 23 November 2017, as part of business operations, 2 ISCA employees (the “First Employee” and the “Second Employee”, collectively the “Employees”) were unable to open the Excel File (stored on ISCA’s internal shared drive) as it appeared to be corrupted. The Employees sought the assistance of ISCA’s IT department. Arising from this, ISCA’s IT Support Specialist sent an email to the System/Network Engineer from the ICT department to recover the Excel File from the backup server, and to send the recovered Excel File to the Employees.
6 On 24 November 2017, the System/Network Engineer created an email to send the recovered Excel File as an attachment to the Employees (the “Subject Email”). As the earlier email from the IT Support Specialist did not include the Employees in the addressee list, the System/Network Engineer had to specifically insert the Employees in the recipient section of the Subject Email. Due to the auto-complete feature in Microsoft Outlook’s email software, the System/Network Engineer inadvertently selected an accounts manager (the “Unintended Recipient”) 1 in a listed telecommunications service provider (“Telco”) instead of the First Employee as they both had the same first name. The Subject Email containing the Excel File was therefore sent to the IT Support Specialist, the Second Employee and the Unintended Recipient. The Excel File was not encrypted with a password…
18 The Commissioner found that ISCA failed to put in place reasonable security arrangements to protect the Subject Data in the Excel File during email transmission for the following reasons:
(a) The volume (1,906 members) and type (data with a higher expectation of confidentiality) of Subject Data in the Excel File warranted direct protection. In this regard, ISCA should have had a policy/SOP that applied to all employees requiring password based encryption for the Excel File in respect of both external and internal emails. This would be a reasonable security arrangement to protect the Subject Data against unauthorised access in the event the Subject Email was sent to any unintended recipient…
23 Having considered all the relevant factors of this case, the Commissioner hereby directs ISCA to do the following:
(a) Within 90 days from the date of the Commissioner’s directions, review its policies and security arrangements in respect of electronic transmission of documents containing personal data; and
(b) Pay a financial penalty of S$6,000.00 within 30 days from the date of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court3 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full.
Institute of Singapore Chartered Accountants  SGPDPC 28. Personal Data Protection Commission. (13 Dec 2018). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Institute-of-Singapore-Chartered-Accountants—131218.pdf. Singapore.
2 On 8 June 2018, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the publication of personal data belonging to 50 individuals on the Organisation’s website, http://www.tutorcity.com.sg (the “Website”). Specifically, images of the educational certificates of tutors using the Website were found to be publicly accessible by Internet users (the “Incident”)…
7 As part of the Website’s features, tutors interested in using the Organisation’s matching service are given the option of voluntarily uploading up to three different educational certificates onto the Website. These certificates assisted the Organisation in matching the needs of the student in question to suitable tutors. These certificates were not intended to be made publicly accessible.
8 Notwithstanding this, all uploaded certificates were stored in the /Public_html/directory (the “Public Directory”) of the Website’s server within a sub-folder, Public_html\tutor\tutor_image (the “Image Directory”). Both directories were not secured with any form of access controls and were accessible by the public so long as the path to the relevant directory was known…
21 In the present case, I am advised that where documents containing personal data have to reside on web servers, folder or directory permissions and access controls are a common and direct way of preventing their unauthorised access by public users and web crawlers. Depending on its circumstances, the Organisation could therefore have implemented any of the following reasonable technical security measures to prevent its Image Directory from being indexed by web crawlers:
(a) First, the Organisation could have placed these documents in a folder of a non-public folder/directory. Access to such documents will then be controlled by the server’s administrator. While this may not be ideal in complex servers with multiple web applications—given that it may not be practicable for the server administrator to control access to all these files—this is not the case for the present Website.
(b) Second, the Organisation could have placed these documents in a folder of a non-public folder or directory, with access to these documents being through web applications on the server. This could be done through PHP scripts. To access the data in the documents, users would have to first log into the web application.
(c) Third, the Organisation could have placed these documents in a sub-folder within the Public Directory but control access to files by creating a .htaccess file within that sub-folder. This .htaccess file may specify the access restrictions (e.g. implement a password requirement or an IP address restriction). An index.html file could also be created within that sub-folder to show a HTML page with no content or a denial of access. Any unauthorised user would then need the specific URL to access a document in the sub-folder. However, given that the Public Directory is the web root directory containing all the content to be displayed on the Website, it should not have overly restrictive access rights. This may pose some challenges for organisations seeking to balance access restrictions to specific documents against retaining accessibility to website content that is intended to be public…
27 I find on the facts above that the Organisation did not make reasonable security
arrangements to protect personal data in its possession or under its control against the risk of unauthorised access. The Organisation is therefore in breach of section 24 of the PDPA. I took into account the number of affected individuals, the type of personal data at risk of unauthorised access and the remedial action by the Organisation to prevent recurrence. I have decided to issue a warning to the Organisation for the breach of its obligation under section 24 of the PDPA as neither further directions nor a financial penalty is warranted in this case.
Tutor City  SGPDPC 5 (Case No DP-1806-B2228). Personal Data Protection Commission. (23 Apr 2019). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Tutor-City-230419.pdf. Singapore.
…The absence of a second layer of basic checks “amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data”, said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday…
In its advisory guidelines, PDPC had recommended that paper containing personal information be shredded into small pieces and not dumped in unsecured bins.
Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be erased using specialised software to avoid accidental data leaks.
Aviva fined $6,000 for data breach. Irene Tham. (Oct 13, 2017). https://www.straitstimes.com/tech/aviva-fined-6000-for-data-breach. The Straits Times. Singapore.
Aviva’s most recent offence involved four underwriting letters meant for four different people to a single person, all contained in one envelope. The letters contained client’s full names, addresses, policy details, and sums assured.
“[Aviva] failed to conduct a more thorough review of its internal departments… that are subject to the same vulnerabilities and risk similar failures as the prior incident,” PDPC said…
Meanwhile, AIG had printed a wrong fax number, which was actually that of Japanese products retailer Tokyu Hands, on 125 policy letters. PDPC said that AIG policyholders could have mistakenly sent their personal data to Tokyu Hands due to the misprint.
Singapore’s privacy watchdog fines three insurers for data breaches. Gabriel Olano. (5 May 2018). https://www.insurancebusinessmag.com/asia/news/breaking-news/singapores-privacy-watchdog-fines-three-insurers-for-data-breaches-99807.aspx. Insurance Business Asia.