Enforcement on an Organisation for failing to protect the data of Employees: Jean Yip Salon

One would not expect a small and medium enterprise like Jean Yip Salon Pte Ltd, to be in trouble with the Personal Data Protection Commission (PDPC) of Singapore over its privacy and personal data protection practice.

However, the PDPC received a complaint about the employee system maintained by Jean Yip Salon (the System); that it was publicly accessible via the internet. The personal data of 28 individuals could be accessed by an unauthorised person via the system including the employees’ name, NRIC number, residence status, date of birth, nationality, gender, mobile number and job designation.

The Commission found that the salon did not adopt reasonable measures to protect personal data in its possession against the risk of unauthorised access. First, it opened public access to a server without ascertaining what it hosted. As a result, while enabling public access to the Customer Online Appointment Booking System, it inadvertently also allowed access to the system that was meant only for internal use, as it was also hosted on the same server.

Second, there were no processes in place to remove or deactivate unnecessary user accounts of the System. Lastly, the organisation did not enforce a password policy for the user accounts of the System. As such, the complainant was able to gain access to the System by simply using a well-known and weak default username and password pair. In the circumstances, the Deputy Commissioner for Personal Data Protection found Jean Yip Salon Pte Ltd in breach of section 24 of the Personal Data Protection Act 2012 and issued a warning to the organisation. No directions were required as it had implemented corrective measures that addressed the gaps in its security arrangements.

One of the key takeaways from the case is that organisations have to be very careful about how open their system is. Additionally, there have to be frequent checks to deactivate unused or “unnecessary” user accounts. Lastly, organisations have to ensure that people change their default username and passwords, and frequently change their passwords thereafter to reduce risks.

Adapted from: Breach of the Protection Obligation by Jean Yip Salon,
https://www.pdpc.gov.sg/Commissions-Decisions

Article by: Leong Wai Chong, GRCP, CIPM

The views and opinions expressed in this article are those of the author and do not necessaily reflect the official view or position of DPEXNetwork.