One would not expect a small and medium enterprise like Jean Yip Salon Pte Ltd, to be in trouble with the Personal Data Protection Commission (PDPC) of Singapore over its privacy and personal data protection practice.
However, the PDPC received a complaint about the employee system maintained by Jean Yip Salon (the System); that it was publicly accessible via the internet. The personal data of 28 individuals could be accessed by an unauthorised person via the system including the employees’ name, NRIC number, residence status, date of birth, nationality, gender, mobile number and job designation.
The Commission found that the salon did not adopt reasonable measures to protect personal data in its possession against the risk of unauthorised access. First, it opened public access to a server without ascertaining what it hosted. As a result, while enabling public access to the Customer Online Appointment Booking System, it inadvertently also allowed access to the system that was meant only for internal use, as it was also hosted on the same server.
Second, there were no processes in place to remove or deactivate unnecessary user accounts of the System. Lastly, the organisation did not enforce a password policy for the user accounts of the System. As such, the complainant was able to gain access to the System by simply using a well-known and weak default username and password pair. In the circumstances, the Deputy Commissioner for Personal Data Protection found Jean Yip Salon Pte Ltd in breach of section 24 of the Personal Data Protection Act 2012 and issued a warning to the organisation. No directions were required as it had implemented corrective measures that addressed the gaps in its security arrangements.
One of the key takeaways from the case is that organisations have to be very careful about how open their system is. Additionally, there have to be frequent checks to deactivate unused or “unnecessary” user accounts. Lastly, organisations have to ensure that people change their default username and passwords, and frequently change their passwords thereafter to reduce risks.
Adapted from: Breach of the Protection Obligation by Jean Yip Salon,
https://www.pdpc.gov.sg/Commissions-Decisions
Article by: Leong Wai Chong, GRCP, CIPM
The views and opinions expressed in this article are those of the author and do not necessaily reflect the official view or position of DPEXNetwork.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.