Breach of the Protection Obligation by MCST 3400

A warning was issued to Management Corporation Strata Title Plan No. 3400 (MCST 3400) for failing to put in place reasonable security arrangements to prevent the unauthorised access of 562 individuals’ personal data stored in an internal directory.

Facts of the case

On 2 September 2019, the Personal Data Protection Commission (PDPC) was notified that a directory containing personal data belonging to MCST 3400 was accessible on the Internet by any member of the public. 

Back in April 2012, MCST 3400 had purchased a Network Attached Storage Device (NAS) for internal file sharing among its administrative staff over a local network. The directory was one of the files stored on the NAS. Not intending for the NAS to be connected to the Internet, the organisation was unaware that the directory could be accessed via an Internet Protocol address without the need for any login credentials. 

The directory contained personal data of 562 individuals collected for the purposes of complying with the Building Maintenance and Strata Management Act, the Building Maintenance (Strata Management) Regulations 2005, as well as to contact subsidiary proprietors of the organisation. 

The following personal data of the affected individuals were exposed to the risk of unauthorised disclosure: 

(a) 12 council members of the organisation: Name; NRIC / Passport Number; Contact number; Email address; and 

(b) 550 subsidiary proprietors of the organisation: Name; Email address; Contact number; Block and Unit number; Change of property ownership details; Identity of resident; Statement of accounts; Car plate numbers; Figures in relation to share values/arrears.

Upon being informed of the incident by the Commission on 2 September 2019, MCST 3400 promptly disconnected the NAS from the Internet on the same day. 

How MCST 3400 contravened section 24 of the PDPA 

Section 24 of the PDPA–the Protection Obligation–requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 

In the Commission’s view, MCST 3400 failed to put in place reasonable security arrangements to protect the disclosed data and was in breach of the Protection Obligation. 

Implement security measures to protect personal data 

The timely detection of risks to personal data is key to an organisation’s compliance with the Protection Obligation, PDPC stresses. 

The Commission highlights two key measures that organisations should implement to detect IT security vulnerabilities: 

First, organisations should conduct code reviews and pre-launch testing before new IT features or changes to IT systems are deployed.  

This is especially important if the new IT feature is accessible from the Internet, and therefore exposed to a “multitude of cyber threats that may compromise the website and expose any personal data [the organisation] collects”.  

Second, organisations should conduct periodic security reviews of its IT systems. 

Particularly, organisations with Internet-facing IT systems that contain sensitive personal data should consider conducting penetration testing as part of their periodic security reviews.  

Lack of any security measures to protect disclosed data 

MCST 3400 admitted that it had not conducted any security reviews of its IT systems, including the NAS and the directory. Consequently, it was unaware of their configuration which allowed access from the Internet without any form of access control. 

PDPC noted that MCST 3400 should have formulated a policy for the NAS and the directory, implemented IT security practices that give effect to the policy and conducted periodic security reviews to ensure that the practices are adequate. 

If the intention was to restrict the NAS and the directory to the internal corporate network, then the practices to implement this policy would include considerations like whether the NAS and the directory were connected to the right segment of the corporate network and whether their configuration was effective in limiting access to users.

In view of MCST 3400’s admission, and the lack of any security measures to protect the disclosed data stored in the directory, PDPC found the organisation in breach of section 24 of the PDPA. 

Conclusion

For their decision, PDPC took into account the following mitigating factors: 

(a) The majority of the affected individuals’ disclosed data exposed to risk of unauthorised access, use and/or disclosure related only to contact information; 

(b) The organisation’s took prompt remedial action to disconnect the NAS from the Internet; and 

(c) There was no evidence of actual misuse or exfiltration of the Disclosed Data. 

Thus, PDPC issued a warning to MCST 3400 for the breach of its obligations under section 24 of the PDPA. No directions were required in view of the prompt remedial action implemented by MCST 3400. 

Adapted from:

Breach of the Protection Obligation by MCST 3400

by Shermaine Ang
Edited by Leong Wai Chong, CIPM, GRCP

 The views and opinions expressed in this article are summarised as interpreted by the author and editor  and may not necessarily reflect the official view or position of DPEXNetwork nor the PDPC.