The Personal Data Protection Commission (“the Commission”) issued a Warning to Specialized Asia Pacific Pte. Ltd. (“SAP”) for breach its personal data protection obligations under Section 24 of the Personal Data Protection Act (“PDPA”).

Specialized Asia Pacific Pte. Ltd. is a wholesale company of sporting products and equipment including bicycles and healthcare equipment, established in 2009 in Singapore.

Context

On 29 January 2021, SAP informed the Commission of an incident breach of data security relating to its Specialized Cadence Application that it developed, operated, and maintained. The application, which had a  default privacy setting which made all the data created by users or developers to be visible to any third party who could use a third-party security testing software to intercept such data. As a result of this default privacy setting, the personal data of 2,445 individuals were at risk of unauthorized access. The personal data included names, addresses, dates of birth, phone numbers, email address, and gender of the users of the application.

Once the vulnerability of the default setting was detected, SAP immediately took remedial measures by by turning off all access and use of the application by all externals and changing the privacy setting from “visible” to “hidden”. SAP also engaged a cybersecurity firm to review and strengthen its security measures.

Section 24 of the PDPA requires organisations to understand the privacy policies and security features of all online tools or software they choose . When employing an online tool or software, an organisation must revise the privacy and security setting of such a tool to protect personal data as per its personal data protection obligations under the PDPA. Using the same default privacy setting of the online tools does not discharge the liability of an organisation to comply with its personal data protection obligations under section 24 of PDPA.

At the end of its investigation, the Commission concluded that given the circumstances that the risk of personal data exposure was limited to parties who had the knowledge and understanding to use a third-party security testing software to access the affected personal data, the Commission deemed that no financial penalties were necessary. The Commission issued a warning against SAP and did not issue any further directions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.