SINGAPORE: A vendor has been fined S$4,000 for a coding error that led to the disclosure of the personal data of more than 400 national servicemen last year.
The vendor, Option Gift, maintains Uniqrewards, an online portal through which NSmen redeem credits and gifts given by the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA) for their good performance during in-camp training or courses, or to celebrate certain events, such as the birth of a child.
In June last year, MINDEF and MHA announced that the personal data of 427 NSmen who had redeemed credits for two rewards programme had been sent to each other after Option Gift deployed an erroneous programme script to send out confirmation emails.
The Personal Data Protection Commission (PDPC) in a report on its decision on Thursday (Jun 6) said that Option Gift had failed to conduct sufficient testing before deploying the programme script.
"As the administrator of the portal, the organisation had full possession and control over the personal data that the portal collects, uses, discloses and processes at all material times," PDPC said in its report.
"Accordingly, the organisation had full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it," it added.
ERROR FOUND IN SCRIPT THAT WAS WRITTEN TO RECTIFY AN INITIAL PROBLEM
The PDPC report showed an Option Gift employee had failed to reset a service account password before its expiry, resulting in the NSmen not receiving confirmation emails for redemption requests submitted between May 22 and 24 last year.
To rectify the issue, Option Gift wrote a script to regenerate and send out the confirmation emails.
However, instead of sending the confirmation email to only one intended recipient, an error caused the script to send the personal data of the NSmen – including log-in details, delivery address, email address and mobile numbers – to each other.
The report stated that the first recipient of the confirmation email received the message that was intended for him, along with the confirmation emails for the other 426 recipients.
The second recipient received the email that was intended for him, along with the confirmation emails for the other 425 recipients, with the pattern continuing until the last recipient.
"This error resulted in the personal data of up to 426 NSmen being accidentally disclosed," PDPC said in its report.
PREVENTING A RECURRENCE
Immediately after the incident was discovered, Option Gift emailed the affected NSmen to apologise and ask them to delete all emails not intended for them.
Option Gift also informed PDPC of the incident and offered the NSmen an S$80 gift voucher as a gesture of apology.
In addition, Option Gift has since introduced several measures to prevent a recurrence of the incident. This includes a secondary check on all future changes to the portal and enhanced review checks.
Improvements have also been made on the backend system to allow confirmation emails to be resent directly, and a new standard operating procedure to document resending of such emails.
Source codes now have to be reviewed by at least one other person as well as an application that will be used to detect bugs and vulnerabilities.
For failing to protect the personal data in its possession, Option Gift could have been fined up to S$1 million.
However, the commissioner took into consideration that Option Gift had voluntarily reported the breach and the company's full cooperation during the investigations, the PDPC report said.
It also noted that Option Gift took steps to mitigate the effects of the breach and corrective action to resolve system vulnerabilities.
“The commissioner has not set out any further directions for the organisation given the remediation measures already put in place,” the report said.