Organisations bear ultimate responsibility for security of personal data even if IT services are outsourced
On 15 September 2022, the Personal Data Protection Commission (“PDPC”) published a written decision in relation to MyRepublic Limited (“MyRepublic”)’s breach of Section 24 of Personal Data Protection Act 2012 (“PDPA”) (the “Protection Obligation”).
The PDPC imposed a financial penalty of S$60,000 on MyRepublic’s breach of the Protection Obligation, which allowed a hacker to gain access to the personal data of 79,388 individuals, despite having considered: (a) MyRepublic’s prompt and effective remedial actions, (b) MyRepublic’s co-operation during the investigations and (c) MyRepublic’s voluntary acceptance of liability for the incident.
Facts
MyRepublic is incorporated in Singapore and is a telecommunications operator. MyRepublic accepted customer orders for mobile services through its mobile order portal (“Portal”), where its customers would submit their Know-Your-Client documents (“KYC documents”). The KYC documents were stored in a bucket (“Bucket”) on cloud-storage which MyRepublic procured from Amazon Web Services (“AWS”).
Access of the Bucket was restricted by an access key (“Key”) which was stored in the source code of the Portal to facilitate the transfer of KYC documents from the Portal to the Bucket. On 29 August 2021, MyRepublic received an e-mail from a hacker who accessed and exfiltrated the KYC documents. The hacker threatened to publish the said data unless a ransom was paid.
The PDPC’s decision
The Protection Obligation requires organisations to implement reasonable security arrangements to prevent the risk of unauthorised disclosure of customer data.
In this case, the PDPC found that MyRepublic had breached the Protection Obligation notwithstanding that the data was hosted on its vendor’s cloud service as MyRepublic retains control over the said data. The PDPC also highlighted that an organisation bears ultimate responsibility under the Protection Obligation to protect all customers’ data under its control.
In determining whether an organisation has breached its Protection Obligation, the PDPC will consider the reasonableness of an organisation’s security arrangements having regard to the volume and the sensitivity of such personal data concerned.
Having considered the high volume of personal data and the sensitive nature of the said data (i.e. identification documents such as NRICs and work passes), the PDPC found that MyRepublic had failed to put in place sufficiently robust security arrangements to prevent the risk of unauthorised disclosure of customer data.
The PDPC found that MyRepublic had failed to:
- Implement sufficiently robust processes to protect the Key: the Key was publicly accessible through the Portal’s functionality to display technical information, embedded in the Portal’s source code available to all of MyRepublic’s developers and captured in files made available to all employees; and
- Implement reasonable security controls for AWS environment: the Bucket should not have been made publicly accessible and access to the Bucket should have been restricted to only authorised applications or users.
IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.
重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系,或直接联系上述的主要联系人。
