On 31/Dec/2019, Singapore Telecommunications Limited received a privacy fine of SGD 9,000. The enforcement authority (Personal Data Protection Commission) has cited these legal provisions in imposing the fine on Singapore Telecommunications Limited: PDPA2012/Section 24 PDPA2012/
|Date of enforcement action:|
|Singapore||SGD 9,000 (US$6,000)|
|Defendant company or entity:||Industry segment:|
|Singapore Telecommunications Limited||Telecoms /|
A financial penalty of $9,000 was imposed on Singtel for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of some of its customers via its My Singtel mobile application.
Section 24 of the Personal Data Protection Act 2012 (the “PDPA”) requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
The Commission’s investigations revealed that due to a technical issue that occurred during a limited period, certain mobile subscribers of the Organisation were able to view the personal data of other subscribers when they used the [Respondent’s] App (the “Incident”). The Incident took place over a period of approximately 11 hours on 20 February 2018 and the personal data of 750 subscribers (the “Affected Subscribers”) were exposed to the risk of access by other subscribers. Of these, the personal data of 39 subscribers were, in fact, accessed by other subscribers.
[The problem arose in conjunction with the practice of reusing mobile phone numbers for new subscribers, after number reassignment. During maintenance, requests were routed from SingTel’s usual system to a temporary, or backup system, in which the old details appeared.]
The types of personal information of the Affected Subscribers (the “Personal Data”) which were accessible through the App included:
(a) mobile numbers;
(b) mobile plans subscribed to;
(c) usage details;
(d) account numbers; and
(e) add-on services subscribed to. The relevant subscribers could also modify the add-on services tied to the Affected Subscribers’ mobile number; 6 such subscribers had tried to make such modifications.
The Organisation in its representations made the point that, in their view, the data breach “happened only where there was an obscure combination of factors”. While, it is accepted that a combination of events had to occur before personal data would have been disclosed, I do not think that the combination of factors was obscure. First, session timeout for MRD queries was foreseen, with the intention for an error message to be displayed.
Second, the Organisation had full knowledge of how dummy numbers are assigned as a temporary bridge for number porting, and that these dummy numbers are eventually re-assigned. The combination of factors giving rise to the Incident was foreseeable and I do not think that the combination is obscure. The impact of the Incident was contained because of its prompt action in implementing a temporary fix.
The data of 39 data subjects was accessed during the breach. Calculating a tariff based on the fine suggests SGD $230 per individual affected. A total of 750 subscribers ($12 per subscriber) were exposed during this breach, although their data was not accessed. The fact that Singtel quickly remedied the problem (the duration of the breach was only 11 hours) probably put some downward pressure on the amount of the fine, notwithstanding the defect of design and the possibility for access was foreseeable (in the Commissioner’s view).
|Enforcement authority:||Type of enforcement action:|
|Personal Data Protection Commission||Penalty notice|
|Subject to appeal?|
File or case number
Cite this fine in your work
Data Privacy Fines Index. (2019-12-31 04:18) Singtel fined SGD 9k for data breach. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/singtel-fined-sgd-9k/
Entry last updated: 2020-04-16 10:34 GMT.