Singtel and Ninja Logistics fined for data breach, Latest Singapore News - The New Paper

Singtel and Ninja Logistics fined for data breach

This article is more than 12 months old

The firms had exposed clients' data on their respective app and website

Telco Singtel has been fined $25,000 for a data breach involving its My Singtel mobile app, according to a decision released on Monday by Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC).

Because of a design problem, My Singtel users could potentially access other customers' accounts, exposing the billing information - including names and addresses - of up to 330,000 subscribers.

Separately, Ninja Logistics - which operates goods delivery start-up Ninja Van - was fined $90,000 for leaving up to 1.26 million individuals' data exposed to website users, in a decision also out on Monday.

From 2016 to last year, users of the order tracking function on Ninja Logistics's website were able to enter a different tracking number and view information, such as names, addresses and signatures, of customers whose parcel delivery statuses were set to "completed".

The PDPC, which acted on a complaint about Ninja Logistics in April last year, noted that there was no evidence that the exposed personal data had been "exfiltrated" or maliciously collected.

Ninja Logistics had also tried - albeit unsuccessfully - to introduce a second layer of authentication by requiring part of a customer's name or mobile number to verify the identity of the person using a tracking number.

Still, "it is inexcusable for the organisation to neglect its obligations to implement a workable security arrangement to protect the exposed personal data", the PDPC ruled.

Meanwhile, the Singtel breach came to light through an anonymous tip-off to the PDPC in May 2017, which alleged that communications between the app and Singtel's servers could be manipulated to gain access to other users' accounts.

Anyone with working knowledge of how a mobile app communicates with servers could have exploited the vulnerability, the PDPC said.

"The informant accessed four billing accounts and extracted the customer's name, billing address, billing account number, mobile phone number as well as customer service plans (including data, talk time and SMS usage)," it noted.

"While there was no further evidence of unauthorised access, the personal data of approximately 330,000 of the organisation's customers who were using the mobile app at the material time were put at risk of disclosure."

Singtel had hired a third-party vendor for regular security tests on the mobile app and systems. But the design flaw that led to the latest data breach was not detected - even though a similar vulnerability had been detected and rectified in 2015.

Singtel said that the app has been strengthened with "improved data encryption and new standards". - THE STRAITS TIMES