Singtel and Ninja Van fined by PDPC for personal data exposure

The Personal Data Protection Commission (PDPC) in Singapore has fined Singtel and Ninja Van for breaching the Personal Data Protection Act (PDPA). Filings by deputy commissioner Yeong Zee Kin showed that Singtel received a financial penalty of SG$25,000 for exposing personal data of approximately 330,000 of its mobile app users, while Ninja Van was imposed SG$90,000 for exposing personal data of about 1.26 million customers.

The case against Singtel was brought up in May 2017, where an anonymous informant alleging that there was a vulnerability in the organisation’s mobile app, which allowed the informant to access the account details of other customers. Communications between the mobile app and the Singtel’s servers are conducted via Application Programming Interfaces (API).

The informant accessed four billing accounts and extracted the customer’s name, billing address, billing account number, mobile phone number as well as customer service plans, including data, talk time and SMS usage. While there was no further evidence of unauthorised access, the personal data of approximately 330,000 of Singtel’s customers who were using the mobile app at the time were put at risk of disclosure.

Singtel has admitted that the data breach was caused by the “direct object reference” vulnerability, which was a design issue in the API. Investigations by PDPC concluded that Singtel had engaged a third party security vendor to conduct regular penetration tests on the mobile app and backend systems. Despite received professional advice to take precautions against such vulnerabilities, it had failed to put in place reasonable security arrangements with respect to the said API to protect the personal data. The vulnerabilities were identified in its last penetration test in 2015.

According to the filing, the direct object reference vulnerability is a “relatively basic design issue and well-known security risk” that a reasonable person would have considered necessary to detect and prevent. The Commission’s “Guide to Building Websites for SMEs” also highlighted programmers should be aware of the common website vulnerabilities and adopt the appropriate programming techniques and practices to ensure that personal data cannot be exposed through such vulnerabilities. Although the guide sets out key considerations for the process of setting up a website, the same principles are similarly applicable when programming a mobile application.

During the proceedings, Singtel defended itself stating that the vulnerability was “not something that a normal user of the app would attempt” and that the attacker must be “technically competent” as the changing of the parameters could only be performed on a workstation.

However, PDPC argued that anyone with working knowledge of how a mobile app communicates with the servers through an API could have exploited the vulnerability. The tools and software required to manipulate the parameters are also available online. For the PDPA breach, organisations may be directed to pay a financial penalty of up to SG$1 million.

Ninja Van

Meanwhile, Ninja Van’s breach of PDPA was first brought to light in April 2018, where a complaint was submitted to PDPC about how the tracking function page could potentially be used to harvest personal data of the customers. By changing a few digits of a Ninja Van’s tracking ID, the complainant could access personal data of another customer.

Investigations by PDPC found that parcels with “pending pickup” and “on vehicle for delivery” delivery statuses did not include any data that could identify a customer. However, the disclosed data for parcels with the “completed” delivery status included the Customers’ names, address and signature.

According to the filing, Ninja Van was aware from the outset that tracking IDs may be manipulated and had tried unsuccessfully to introduce a second layer of authentication. Given the foreseeable risk of using tracking IDs as the sole means of accessing and using the tracking function page, it is “inexcusable” for the organisation to neglect its obligations to implement a workable security arrangement to protect the exposed personal data, said Yeong. This resulted in the data exposure of a significantly large number of individuals for a period of close to two years.

Additionally, save for the one-time archival of 2.6 million tracking IDs on 31 August 2016, Ninja Van did not have any procedures to remove records of completed deliveries from the tracking function page. It could have “easily done so” by setting a fixed period upon completion of a delivery after which the tracking ID would no longer be valid, and significantly reduced the risk of unauthorised access and disclosure to the exposed personal data, added Yeong.

Ninja Van has since taken several remedial actions. This includes removing the customer’s address for the “pending pickup” and “on vehicle for delivery” delivery statuses, and engaging of a law firm to improve and document the its personal data protection policies.

As of 23 August 2018, the organisation implemented a system such that tracking IDs would expire 14 days after the completion of the delivery. In August, Ninja Van also engaged a Crest-certified security organisation for a one-year period to assist with establishing an overarching security framework with a data protection focus. This includes working out a data protection training program for its employees who will all receive formal training on its obligations with respect to the PDPA.

[MARKETING is proud to once again present PR Asia in Singapore this year. Join us for a series of exclusive case studies, interactive and thought-provoking discussions this 13-14 November in Singapore and discover the latest strategies, insights and groundbreaking ideas to elevate your PR practice. Register now.]

Read more:
SingTel dishes out over $2 million for data protection
Genki Sushi SG among 5 companies fined by PDPC over personal data breach
F&B operator Spize fined SG$20k for personal data breach
AIA Singapore slapped with SG$10k fine for data breach
PDPC warns offenders: Why are brands finding it so hard?
PDPC pushes for data innovation and accountability with 3 new initiatives
Singapore looks into data portability to pave way for innovation

Read More News