Have you recently carried out a vulnerability test on your Company’s website and secured webpages such that all Confidential and Personal Data would not leak out accidentally?
This is what happened to one such Company who allowed their customers to access data from their company webpage due to having inadequate security measures.
For the convenience of its policyholders, Friends Provident International Limited (the “insurer” or “Company”) operated and maintained an online portal (“Portal”).
Policyholders could access the Portal through the Company’s webpage via a supposedly “Secured Mailbox Webpage” (“Webpage”). Authorised persons of the Company i.e. employees and advisors could also access the Webpage to generate and obtain reports.
Unsurprisingly, the reports contained some personal data of policyholders including their names, policy number(s) and residential area where they lived. It was not intended for policyholders to see more than their own information.
Unfortunately, the Company’s breach of the PDPA came about when an inquisitive policyholder, while accessing the Portal and the Webpage, was able to also generate and obtain confidential reports containing details of other policyholders.
The policyholder then complained to the Monetary Authority Singapore who in turn referred the matter to the Company. The Company, on its own accord, reported the breach.
The troubling issue is that the Company did not know of the vulnerability of its Webpage. It was only by chance it did an upgrade of the backend and enhanced the website’s verification had resolved the security issue on 6 February 2018. Therefore, these breaches were in fact incidents which occurred sometime on or about 12 December 2017 but to the Company, it was unaware that there was a glitch.
In total, 240 individuals were affected by the generation of the reports where 42 reports had been produced and downloaded by 21 policyholders or their advisors.
What exactly was the Company’s breach?
In Friends’ Case  SGPDPC 29, the Deputy Commissioner stated that Section 24 of the Personal Data Protection Act 2012 (“PDPA”) requires companies to protect data in their possession or under the control by making reasonable security arrangements to prevent unauthorised access, disclosure and similar risks (emphasis added).
The Company had not done so for 2 main reasons:-
- It was less careful in the manner it had restricted access to the Reports to prevent unauthorised access; and
- The testing done on the Webpage was inadequate.
The testing of the Webpage was inadequate because the facts showed that the Webpage was intended for use across a variety of devices and screens. Therefore, the Deputy Commissioner felt that testing should have been conducted across multiple browsers and devices including mobile phones and on a representative basis.
The Deputy Commissioner highly recommended that companies and developers should have tested other browser conditions such as “script blocking”. Script blocking is to prevent a website from running bits of code when a user visits the website. Did you know of “script blocking” as a tool before reading this article?
The most positive outcome, in this case, is that the Company only got away with a warning.
The misuse of the personal data was relatively low and that the Company took prompt steps to inform the Commission and implement remedial steps.
Had the information been more confidential (as defined under the PDPA), there could have been severe consequences for the Company with a heavy fine imposed.
Remedial Steps Taken Promptly
After the breach was reported, the Company took all efforts and remedial actions (bearing in mind that it had already resolved the glitch on 6 February 2018). It took urgent steps to:-
- review the Portal;
- conduct an initial risk assessment and investigations;
- imposed a requirement for regression testing for mobile devices and different screen resolutions;
- ensured that there was backend access validation in place;
- all employees received training on data protection upon commencement of employment or a refresher session; and
- contacted all affected persons so that all Reports were retrieved.
7 Lessons Learnt
From this case, it is clear you must, when working with your developers or IT teams,
#1 Ensure that thorough vulnerability tests are conducted on your websites regularly;
#2 Ensure that reasonable security arrangements are made such as front-end and backend verification procedures when entering secured webpages;
#3 Work closely and in consultation with your developers and IT teams on regular Website maintenance;
#4 The testing should apply not only to websites but to your mobile devices and across multiple browsers and screens;
#5 You should carry out enhanced testing regularly such as script blocking or such other tools to bring forth any flaws in the coding of your websites and mobile devices;
#6 Equally important is to ensure that all employees receive training on data protection when they start and at yearly trainings;
#7 When there is a breach, report promptly and take remedial steps early. It may well be a mitigating factor and save you from a hefty fine before the Commissioner.