Singapore’s privacy watchdog, the Personal Data Protection Commission (PDPC), has slapped fines on telecom provider Singtel and Ninja Logistics for potentially exposing personal details of their customers.
How much are the fines?
Singtel has been fined a sum of $25,000 for a data breach that came to light in May 2017. On the other hand, Ninja Logistics has been asked to pay a fine of $90,000 for a data breach that occurred in 2016 and lasted for over a year.
An overview of Singtel data breach
The Singtel data breach came to light through an anonymous tip-off to the PDPC in May 2017. The firm was alleged for exposing personal details of up to 330,000 of its customers due to a design flaw in its app.
This allowed anyone to see other customers’ accounts, exposing their billing information, names, and addresses.
The PDPC said that anyone with working knowledge of how a mobile app communicates with servers could have exploited the vulnerability.
"The informant accessed four billing accounts and extracted the customer's name, billing address, billing account number, mobile phone number as well as customer service plans (including data, talk time and SMS usage)," PDPC added, THE STRAIT TIMES reported.
Where did the flaw exist?
PDPC noted that Singtel had hired a third-party vendor for regular security tests on the mobile app and systems. However, the design flaw in question was not detected and this led to the data breach.
“Despite having received professional advice to take precautions against such vulnerabilities, the organization omitted to conduct a full code review…and hence failed to discover (the vulnerability) that was exploited in this case,” the PDPC said.
The PDPC further added that the vulnerability “is a relatively basic design issue and well-known security risk that a reasonable person would have considered necessary to detect and prevent”.
A preview of Ninja Logistics’ data breach
The goods delivery startup, Ninja Logistics has been fined for exposing personal data of up to 1.26 million individuals on its website
From 2016 to 2018, users were able to view details of other customers’ by entering tracking numbers on the order tracking function. This exposed information such as names, addresses, signatures of customers.
Other security lapses
The PDPC also noted that Ninja Logistics has also unsuccessfully tried to introduce a second layer of authentication which required a part of a customer’s name or mobile number to verify the identity of the person using a tracking number.
Both Singtel and Ninja Logistics have admitted and fixed the underlying issue. Singtel has addressed the design flaw by releasing the latest version of the app. Similarly, Ninja Logistics has implemented corrective measures to rectify the matter.