Singapore’s privacy watchdog Personal Data Protection Commission (PDPC) announced on Monday (November 4) that both Singtel and Ninja Logistics has been charged for data breach offences.
Telco Singtel has been fined $25,000, while Ninja Logistics — which provides logistics services under local startup Ninja Van — was fined $90,000.
For Singtel, personal information of approximately 330,000 of its subscribers was put at risk of disclosure.
Due to a design flaw in My Singtel app, users could could potentially access other customers’ accounts, exposing details like billing information, names and addresses.
PDPC said that anyone with working knowledge of how a mobile app communicates with servers could have exploited the vulnerability, and the tools needed to do so are available online.
“The informant accessed four billing accounts and extracted the customer’s name, billing address, billing account number, mobile phone number as well as customer service plans (including data, talk time and SMS usage),” it added.
While there was no further evidence of unauthorised access, Singtel still “failed to put in place reasonable security arrangements” to protect customers’ personal data.
Singtel has actually hired a third-party vendor for regular security tests on the mobile app and systems, but it failed to detect the design flaw which caused the data breach.
PDPC noted that Singtel “ought to have been more diligent in performing a thorough assessment”, especially after a similar vulnerability was found in a 2015 security test.
For this, it could have been charged a maximum penalty of $1 million but PDPC noted that the “exploitation of the vulnerability requires some level of technical expertise.”
The My Singtel app has since been fixed, and the latest version does not have this design issue.
PDPC: Firms Must Implement “Workable Security Arrangement”
On the other hand, Ninja Logistics allowed users to potentially access personal data of up to 1.26 million individuals on its website.
It was reported to PDPC in April last year that their order tracking webpage allowed users to key in a different tracking number as well as access information such as names and addresses of those whose parcel delivery status were set to “completed”.
This went on from 2016 to 2018. Then in August 2016, another 2.6 million archived tracking numbers removed older customers’ data from view.
PDPC noted that the exposed personal data had not been maliciously collected or misused.
According to Ninja Van, there is a limit on the number of times a single user can try to retrieve parcel details. Based on their records, there have been no anomalies in access patterns.
PDPC has ruled that Ninja Logistics must now ensure that tracking numbers expire after a certain time once orders are completed. The time must be “as reasonably short as possible while meeting business needs.”
It asserted that it’s necessary for Ninja Van to “implement a workable security arrangement to protect the exposed personal data.”
The firm has since implemented changes such as not letting parcels be tracked two weeks after delivery, and removing recipients’ names and signatures from its webpage from mid-October 2019.
Featured Image Credit: Nikkei Asian Review / Ninja Van