Breach of the Protection Obligation: RedMart and Thomson Medical
It’s in the name itself, protection. Under the Protection obligation, organisations have to protect the personal data they are collecting, using and disclosing, or else face the consequences of not just a financial penalty from the PDPC but also losing the trust of customers and potential clients.
Under this obligation, there’s a need for organisations to put up safeguards to ensure that there will be no instance of a breach or exportation of personal data. It should be noted that this obligation is the most breached obligation of the PDPA, and organisations should always keep tabs on current decisions and undertakings from the PDPC for them not to be part of the statistics.
Sadly, RedMart and Thomson Medical fell short of the diligence they are required to protect the personal data they are managing. Completing this year’s set of decisions released, RedMart, an online platform selling groceries and fresh produce, even broke the record of Quoine as 2022’s highest financial penalty received.
December 19: RedMart’s breach of the Protection obligation
On October 2020, the PDPC was notified that RedMart’s database containing the personal data of its customers were being offered for sale on an online forum, which affected 898,791 individuals. Upon investigation, it was found out that the breach was due to a threat actor who gained unauthorised access to the GitHub user account of a member of RedMart’s software development and IT operations team.
According to the PDPC, given the high volume of personal data in the affected database, it was incumbent on RedMart to implement policies and practices commensurate with the organisation’s higher-level security needs to discharge its obligation under the Protection Obligation.
RedMart should’ve made sure that it implemented reasonable access control on its employees’ user GitHub accounts, which allowed the threat actor access to the GitHub Repositories. Moreover, this could’ve been prevented if the organisation implemented sufficient access controls to protect and limit access to the keys to access RedMart’s various environment, or conducted periodic management reviews to ensure that the access to these keys was limited to the GitHub accounts that required such access or to remove such access from accounts that no longer needed it.
In this connection, best practice dictates that the principle of least privilege should apply, such as each employee be given only the minimum level of access rights or privileges necessary for that employee to complete an assigned operation. This would limit the damage in case a vulnerability is exploited, as in this case, where the threat actor gains unauthorised access to a GitHub user account.
With this incident, RedMart was made to pay a whopping financial penalty of S$72,000 for failure to comply with the Protection Obligation of the PDPA. This is the highest financial penalty for 2022, given the number of individuals affected and the nature of the personal data involved.
What we can get from this case is the importance of having access and limit controls for employees and their accounts. It should be stressed that employees are the weakest link to an organisation’s cybersecurity. While it was not stated in this case how the bad actor got the credentials from the employee, we can conclude that this could be due to the most common forms of cyber-attacks to bait such employees, such as malware or phishing. Without these access and limit controls, the organisation could be at great risk if it were not paid attention to.
December 19: Thomson Medical’s breach of the Protection obligation and directions to follow
Completing this year’s PDPC decisions is the case of Thomson Medical. Here, the PDPC was notified that the organisation’s Health Declaration Portal was not secure as the personal data of its visitors could be publicly accessed.
According to Thomson Medical, its in-house developer failed to remove a software code, causing the visitor data to be publicly accessible, and omitted to change the default web server configuration of storing them in a secured database.
Upon investigation, it was found out that the personal data of 44,679 of the organisation’s visitors were affected, which could be attributable to Thomson Medical’s failure to ensure that there were processes in place to ensure the policies in place for the collection of visitor data and the instructions to the developer would be complied with. Moreover, the organisation should have conducted reasonable pre-launch testing before the Health Declaration Portal went live.
Thankfully, there was no evidence suggesting that the personal data had actually been exposed to unauthorised third parties due to the lapses by Thomson Medical. With this, the organisation was only given directions to follow.
This case also highlights employees as the weakest link to an organisation. With this, what we can get from this case is the importance of having processes to ensure that employees comply with their duty instructed to them. This case also gives us the importance of conducting pre-launch testing to ensure that there will be no vulnerabilities present that bad actors could exploit.
How a DPO can help
The Protection Obligation is the most common obligation under the PDPA that is violated by organizations. Of course, when Organizations fail to observe such obligation, a financial penalty can be imposed by the PDPC. To ensure that this will never happen to your organization, a DPO can help.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we regularly conduct a penetration testing to see if the organization’s systems can be exploited or taken advantage of, and patch it up as quickly as possible before any bad actor can do it.
DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.
As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.
Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data. https://bit.ly/pdpa_compliance