On 22 January 2019, Singapore’s Personal Data Protection Commission issued its grounds of decision against COURTS (Singapore) Pte Ltd (Courts), a consumer electronics and furniture retailer in Singapore.
The facts of the case were as follows:
- A complaint was brought by an individual who discovered that his contact number and address were disclosed in an automatically opened webpage, when he entered his name and email address on Courts’ guest login page when making a purchase on its website.
- The commission’s investigations revealed that when a customer checked out as a guest user and entered their name and email address, their contact number and residential address would also be displayed on the guest checkout page of the website.
- As of 9 July 2017, Courts confirmed that it had a total of 14,104 personal data sets stored in its database.
The commission’s findings were as follows:
- It is not disputed that Courts had possession and/or control of the personal data sets stored in its database. Accordingly, it was required to protect such personal data under section 24 of the Personal Data Protection Act (PDPA).
- While Courts had engaged an IT vendor to develop and maintain the guest login page and guest checkout page on its website, such vendor did not have the login credentials to Courts’ database, and the nature of the relationship was more akin to software development as opposed to the vendor operating or performing processing activities on the personal data in the database. Hence, the commission found that the IT vendor was not Courts’ data intermediary.
- Courts had fallen short of its obligation to protect the personal data as required under section 24 of the PDPA. The use of an email address as the sole login credential fell short of the standard of protection required to protect unauthorised access. There was a “glaring failure” to “adequately consider data protection” with respect to the guest checkout system of the website, as Courts did not review its system design or process flow. Additionally, no penetration tests or maintenance was carried out since the website launch, and no security scans were performed for 12 months prior to the incident.
- The commission further noted that Courts’ employee training measures were ineffective in dealing with the system design and process flow deficiencies on its website and could not amount to the requisite security arrangements to protect the personal data against unauthorised disclosure.
- A financial penalty of S$15,000 was imposed for Courts’ breach of the protection obligation under the PDPA.