Consumer electronics and furniture retailer COURTS has been fined SG$9,000 by the Personal Data Protection Commission (PDPC) for exposing some of its members’ data and allowing unauthorised access into members' Homeclub accounts. The incident saw 76,844 of its members affected, of which 128 members accessed a link in the eDM sent to them, from 31 August 2019 to 1 September 2019. It led to unathorised access to members’ account exposing their personal details such as name, email address, mobile number, date of birth, address, password, and transactional information.
According to PDPC, COURTS sent an eDM on 31 August 2019 which included for the first time, a new eDM link, which required members to log in to their respective Homeclub accounts and provide their mobile numbers to replace NRIC numbers that were previously used as the membership identifier. The new eDM link did not operate as intended.
As a result, when one member clicks on the new eDM link and logs into his or her Homeclub account without logging out within 60 minutes, all other members who subsequently clicked on the new eDM link within 60 minutes would automatically be directed to the original member’s account, without having to authenticate their credentials.
Investigations by PDPC found that there was only one employee in COURTS’ digital marketing team that was in charge of creating the new eDM link and testing it prior to its launch. The employee conducted a limited test of sending the eDM containing the new eDM link to himself.
PDPC found the test “limited” and “clearly inadequate”. It added that organisations should ensure that testing scenarios are properly scoped. In COURTS’ case, it intended to send the eDM to a very large number of members. It is therefore foreseeable that testing scenarios should include multiple sequential logins or even concurrent logins to the Homeclub login page at peak usage. If the it had tested the new eDM link to approximate this real world scenario, the incident would have likely come to light at that stage.
PDPC also took into account as an aggravating factor that this is the second time COURTS has been found in breach of the Protection Obligation, which requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
According to The Straits Times, COURTS was previously fined SG$15,000 in January 2019 for a vulnerability in its website. This led to the potential exposure of a member's contact number and address to any users who entered the member's name and email address on COURTS' guest log-in page.
Join us on a three-week journey at Digital Marketing Asia 2020 as we delve into the realm of digital transformation, data and analytics, and mobile and eCommerce from 10 to 26 November. Sign up here!