Singtel fined SGD 9k for data breach

On 31/Dec/2019, Singapore Telecommunications Limited received a privacy fine of SGD 9,000. The enforcement authority (Personal Data Protection Commission) has cited these legal provisions in imposing the fine on Singapore Telecommunications Limited: PDPA2012/ Section 24 PDPA2012/

Essentials

Date of enforcement action:
31/Dec/2019
Jurisdiction: Fine imposed:
Singapore Flag for Singapore, which is the jurisdiction taking enforcement action SGD 9,000 (US$6,000)
Defendant company or entity: Industry segment:
Singapore Telecommunications Limited Telecoms /

Case summary

A financial penalty of $9,000 was imposed on Singtel for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of some of its customers via its My Singtel mobile application.

Section 24 of the Personal Data Protection Act 2012 (the “PDPA”) requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

The Commission’s investigations revealed that due to a technical issue that occurred during a limited period, certain mobile subscribers of the Organisation were able to view the personal data of other subscribers when they used the [Respondent’s] App (the “Incident”). The Incident took place over a period of approximately 11 hours on 20 February 2018 and the personal data of 750 subscribers (the “Affected Subscribers”) were exposed to the risk of access by other subscribers. Of these, the personal data of 39 subscribers were, in fact, accessed by other subscribers.

[The problem arose in conjunction with the practice of reusing mobile phone numbers for new subscribers, after number reassignment. During maintenance, requests were routed from SingTel’s usual system to a temporary, or backup system, in which the old details appeared.]

The types of personal information of the Affected Subscribers (the “Personal Data”) which were accessible through the App included:

(a) mobile numbers;

(b) mobile plans subscribed to;

(c) usage details;

(d) account numbers; and

(e) add-on services subscribed to. The relevant subscribers could also modify the add-on services tied to the Affected Subscribers’ mobile number; 6 such subscribers had tried to make such modifications.

The Organisation in its representations made the point that, in their view, the data breach “happened only where there was an obscure combination of factors”. While, it is accepted that a combination of events had to occur before personal data would have been disclosed, I do not think that the combination of factors was obscure. First, session timeout for MRD queries was foreseen, with the intention for an error message to be displayed.

Second, the Organisation had full knowledge of how dummy numbers are assigned as a temporary bridge for number porting, and that these dummy numbers are eventually re-assigned. The combination of factors giving rise to the Incident was foreseeable and I do not think that the combination is obscure. The impact of the Incident was contained because of its prompt action in implementing a temporary fix.

(PDPC)

Commentary

The data of 39 data subjects was accessed during the breach. Calculating a tariff based on the fine suggests SGD $230 per individual affected. A total of 750 subscribers ($12 per subscriber) were exposed during this breach, although their data was not accessed. The fact that Singtel quickly remedied the problem (the duration of the breach was only 11 hours) probably put some downward pressure on the amount of the fine, notwithstanding the defect of design and the possibility for access was foreseeable (in the Commissioner’s view).

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Personal Data Protection Commission Flag for Singapore, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
No

File or case number

DP-1802-B1732

Cite this fine in your work

Data Privacy Fines Index. (2019-12-31 04:18) Singtel fined SGD 9k for data breach. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/singtel-fined-sgd-9k/

Entry last updated: 2020-04-16 10:34 GMT.