The Personal Data Protection Commission (‘PDPC’) carried out certain investigations recently under Section 50(1) of the Personal Data Protection Act 2012 (‘PDPA’), and subsequently issued a warning and financial penalty on the respective errant entities below:
L’Oréal Singapore Pte. Ltd., Case No. DP-1812-B3091
L’Oréal Singapore Pte. Ltd. (“L’Oréal”) operated a website which had a login portal that enabled its customers to view their profile information, etc. (the “Customer Login Page”). The customers’ profile information included their name, email address, postal address, mobile number and date of birth (the “Personal Data”). The development and maintenance of the website were carried out by a vendor engaged by L’Oréal. In order to improve the loading speed of the website, L’Oréal instructed its vendor to make some changes to the website. However, L’Oréal failed to scope the User Acceptance Tests (“UATs”) to include the login and caching functions of the Customer Login Page, after the code changes were introduced. As a result, when a customer logged into the Customer Login Page, his or her Personal Data would be cached. The customer’s Personal Data would then be disclosed to the next customer who logged in to the Customer Login Page until the cache was refreshed. The PDPC found that Personal Data of 7 individuals had been exposed to the risk of unauthorised disclosure as a result of L’Oréal’s failure to ensure appropriate testing of its website or make other security arrangements to protect the Personal Data. The PDPC found L’Oréal in breach of Section 24 of the PDPA and issued a warning for this lapse.
Creative Technology Ltd., Case No DP-1811-B3058
Creative Technology Ltd. (“Creative”) operated and hosted an online support forum (the “Forum”) sometime in 2004 for users to share ideas and information on its products. In 2011, Creative adopted a third party forum software known as “vBulletin” to operate and host the forum internally. Unbeknownst to Creative, the vBulletin software had a Structured Query Language (SQL) vulnerability which could allow hackers to extract information hosted on the platform using SQL injection techniques. The developers of the vBulletin software released patches to address this SQL vulnerability in 2016 but Creative did not install these patches. In 2018, an unknown hacker used SQL injection techniques to obtain personal data of Forum users from the Forum’s database. Creative found that 484,512 users’ account information had been accessed and extracted, out of which only 8,258 were active users who had accessed or posted on the forum between 2014 and 2018. Creative made certain mitigating representations including the fact that the disclosure was unlikely to have caused serious or substantial harm or injury due to the low sensitivity of personal data disclosed. It had also taken swift remedial actions upon notification of incident by suspending and shutting down the Forum within a span of 2 weeks therefrom, and deleting the user database. The PDPC directed Creative to pay a financial penalty of S$15,000, but decided not to impose any other direction as Creative had ceased to operate the Forum and no longer retained the database of Forum users.
By: Denise Mirandah
A version of this article first appeared on the GALA Blog. For more information, please visit http://blog.galalaw.com/.