SPH Magazines and Singtel slapped with PDPC fine for exposing personal data

SPH Magazines has been directed by the Personal Data Protection Commission (PDPC) to pay a financial penalty of SG$26,000 for failing to protect personal data. According to PDPC, on 20 February 2018, SPH Magazines notified the commission that the account of a senior moderator of its HardwareZone forum site had been accessed by a hacker. The senior moderator’s email address and password was published on a credential leak database on 5 December 2017.

PDPC said SPH Magazines did not perform any security testing of the HardwareZone forum website, and did not have an overall picture of its security needs in relation to the website. PDPC also stated that SPH Magazines was unable to detect the unauthorised access of personal data for about two years.

According to SPH Magazines, it was notified of an unauthorised post published using the account of a website administrator that led to conducting an investigation and informing PDPC. However, the hacker did not compromise the company's systems and applications. During the investigations, the case filing said the senior moderator's password was not changed in 10 years, and did not meet the length and complexity standard implemented for its employees.

It also revealed that the hacker used the compromised senior moderator account to access the user profiles of members. At the time, there were a total of 685,393 user profiles in SPH Magazines' system. Further investigations by the company showed that the senior moderator’s account was used to perform 704,764 attempted views of members’ user profiles using networks that did not reveal the actual source IP address, between 22 September 2017 to 30 September 2017.

Both SPH Magazines and HardwareZone issued an apology on 21 February 2018 for the data breach on the forum site. In a press statement then, SPH said it had lodged a police report, informed PDPC and also engaged security consultants to conduct a “thorough review of the system”. “SPH Magazines and HWZ sincerely apologise to HWZ users for this breach of security. We remain committed to protecting all personal data shared with us,” the statement added.


Meanwhile, Singtel has been issued a financial penalty of SG$9,000 for putting personal data of 750 individuals at risk. The incident took place over a period of approximately 11 hours on 20 February 2018 and the personal data of 750 subscribers were exposed to the risk of access by other subscribers. Of these, according to the PDPC case filing, only personal data of 39 subscribers were accessed by other subscribers.

On 21 February 2018, the PDPC received a complaint from an individual mobile subscriber of Singtel, which revealed that the subscriber was able to view the personal information of another subscriber using the MySingTel mobile application. According to the PDPC case filing, the incident arose during Singtel’s migration of its database of mobile customer accounts from its existing billing system to a new billing system. This involved mobile numbers that were previously assigned to a subscriber (historical numbers) that was subsequently reassigned to another subscriber.

During the migration period, when a subscriber logged in to the app, the app would query the telco's master routing database to check if the subscriber’s data had been migrated and then route the query to the relevant billing system. However, on 20 February 2018, due to slow response times, queries by the master routing database to the billing system encountered timeouts. When these timeouts occurred, subscribers who were assigned a historical number before, will be able to view service information of other subscribers who could have also been assigned to the same dummy number.

Just last month, Singtel was fined SG$25,000 for exposing personal data of approximately 330,000 of its mobile app users. The case against Singtel was brought up in May 2017, where an anonymous informant alleged that there was a vulnerability in the organisation’s mobile app, which allowed the informant to access the account details of other customers. The informant accessed four billing accounts and extracted the customer’s name, billing address, billing account number, mobile phone number as well as customer service plans, including data, talk time and SMS usage.

Royal Caribbean Cruises (Asia)

Royal Caribbean Cruises Asia has been fined SG$16,000 for failure to put in place reasonable security arrangements to protect the customer and employee data. On 14 April 2019, Royal Caribbean Cruises Asia notified PDPC that the systems of one of its vendors had been subject to a cyber-attack, resulting in the personal data of some of the cruise's customers being exposed to unauthorised access.

In early 2017, the Royal Caribbean Cruises Asia engaged the IT Vendor to develop and supply the cruise company with an electronic receipt system and the receipt system was hosted on an Amazon Web Services server. On 11 April 2019, the cruise company encountered difficulties operating the receipt system and the next day, the IT vendor informed Royal Caribbean Cruises that the receipt system had been subject to a cyber-attack. The cyber-attacker had deleted the database in the receipt system, and replaced it with a ransom message demanding payment of 0.08 Bitcoins in order to recover the deleted data.

Personal data including sailing date, booking ID, name of guest and card holder, among others, belonging to 6,004 of Royal Caribbean Cruises Asia's
customers were affected by the incident. In addition, 440 of the 6,004 affected customers had completed an online check-in process that required them to provide additional personal data such as nationality, residential address, email address, last four characters of the passport number and others. There were 25 employees of the cruise company whose personal data was also affected by the cyber attack.

The commission's investigations revealed that the IT Vendor had not processed, nor were they engaged to process, the customer data, additional customer data and employee data on the cruise company's behalf. The receipt system was also found to have vulnerabilities and gaps that the cyber-attacker could easily have exploited.

AXA Insurance

AXA Insurance has been issued a warning by the PDPC for lack of security and exposing personal data. The PDPC received a complaint on 4 July 2019 against AXA Insurance, which said an email with a scanned document contained personal data of 87 other policyholders. The attachment was an internal email correspondence of the insurance company that contained the names, NRIC numbers, insurance policy numbers and the details of the servicing agents of the personal data. The insurance company however, admitted to PDPC that during scanning of documents by its employees, it did not have a process to segregate documents intended for internal record purposes from documents for customers.

The commission found that these lapses in processes resulted in the data breach, and that the lapses pointed to a failure by AXA Insurance to make reasonable security arrangements to protect the personal data of its policyholders from inadvertent disclosure by its employees.

NTUC Income

NTUC Income has been given a warning by the PDPC for unintentionally leaking personal data. The PDPC was notified on 17 July 2019 by NTUC Income of the unintended disclosure of personal data to users making enquiries through its website. The users received automated acknowledgement emails attached with files containing personal data of other individuals.

This occurred due to a coding error. When a user A uploaded files, the application assigned a variable that served to identify the files for future retrieval by the same user or by the insurance company. If the user B did not upload files, the variable generated for the preceding user was applied to the B’s submission. As a result, the supporting documents uploaded by A were associated with B’s submission. NTUC Income has since sought to improve checks on coding quality by replacing its manual code review process with adequate tools.