Data breach by COURTS

Feb 26 2019 | by OrionW

On 22nd January 2019, the Personal Data Protection Commission (PDPC) directed COURTS (Singapore) Pte Ltd (COURTS) to pay a S$15,000 penalty for breaching Section 24 (Protection Obligation) of the Personal Data Protection Act 2012.

The matter arose from a complaint relating to the operation of COURTS’ website (Website).  Customers wishing to make a purchase on the Website could check out either with their COURTS account, if they had one, or as a guest.  To check out as a guest, a customer was required to enter their name and email address.  To provide guests with a smoother check-out process, if the customer’s email address matched an email address previously used to make a purchase on the Website, the contact number and residential address (Personal Data Set) associated with that email address in COURTS’ database would be automatically displayed on the guest check-out page even if the name entered did not match the name previously used with that email address.  In short, simply using an email address, which is widely shared and readily searchable on public platforms, would enable anyone to access another individual’s Personal Data Set.

The PDPC ruled that using an email address as the sole login credential fell short of the standard required under the Protection Obligation to prevent unauthorised access of personal data.  The PDPC also found that COURTS failed to conduct penetration tests, security scans and maintenance of its Website since its launch, thereby neglecting its responsibility to put in place adequate security arrangements to protect its customers’ personal data as required under the Protection Obligation.

In determining the amount of financial penalty, the PDPC considered as aggravating factors the lack of sufficient security arrangements, the long period of risk of unauthorised disclosure and COURTS’s lack of initiative to gather more information regarding the complained incident.  However, the PDPC also found as mitigating factors the limited number of persons at risk from the security breach, the lack of actual loss or damage and COURTS’s implementation of measures to prevent recurrence.

Key takeaways

  • Organisations should not compromise on security in favour of a smoother check-out process online.  Data collected from guest user check-outs should be erased from a server even if customers will have to re-enter their personal data for each new purchase.

  • Organisations should carry out a full audit of their personal data processes and employ additional security measures such as penetration tests for their websites.