Local telco Zero1 slapped with SG$4k fine for personal data breach

Local telco Zero1 has been fined SG$4,000 by the Personal Data Protection Commission (PDPC) for failing to put in place reasonable measures to protect the personal data of the subscribers of Zero1. Along with Zero1, the telco's courier service partner XDEL Singapore was imposed with a SG$7,000 fine.

According to the PDPC filing, in the course of delivering SIM cards, XDEL inadvertently disclosed the personal data of Zero1’s customers. Zero1 was founded in 2017 as a Mobile Virtual Network Operator (MVNO) licensed by the Info-communications Media Development Authority of Singapore. The telco appointed XDEL in March 2018 to deliver SIM cards to Zero1's subscribers.

Upon processing applicants' registration, Zero1 would provide to XDEL the subscriber’s information (including the subscriber’s name, NRIC number, delivery address and contact number), the SIM card number and the subscriber’s preferred time of delivery. In the event that the customer had authorised another person to receive the SIM card on his or her behalf, the authorised recipient’s information would additionally be provided to XDEL.

The PDPC filing seen by Marketing found that the first batch of SIM card deliveries took place between 8 and 9 March 2018, and about 333 URLs linking to notification webpages containing the personal data of 292 individuals were sent out to XDEL in support of this first batch of deliveries. Investigations revealed in the filing said that there was unauthorised access to 175 of the URLs which contained personal data. According to PDPC's investigations, these URLs were accessed by 82 unique IP addresses over a span of about 34 hours, between 12 and 13 March 2018.

The investigation was led by the commission after Zero1 alerted PDPC of a post on an online forum thread warning other users not to reveal their Zero1 account numbers in public, indicating that it was possible to access another individual’s delivery notification if one was able to determine another subscriber’s membership number. According to XDEL, the notification webpage system was developed in-house. In the course of investigations, the PDPC said XDEL admitted that its developer had failed to test for reasonable security arrangements to protect the personal data in its possession and control.