SINGAPORE: Food and beverage outlet operator Spize has been fined S$20,000 after the personal data of about 150 customers was disclosed on its online ordering portal in 2017.
In the grounds of decision dated Thursday (Jul 4), which was published on the Personal Data Protection Commission (PDPC) website, the PDPC received a complaint on Aug 12, 2017 from a member of the public.
"A link on the site named Call Center had allowed members of the public to view three tabs: Customer Ordering, Restaurants and Order Dashboard. Under the Order Dashboard tab, 148 customers' personal data, specifically their names, contact numbers, email addresses and residential addresses, was disclosed," it was stated.
The incident was caused by a user logging in to the managing director's administration account to enable the link to be publicly accessible when it was intended only for internal use, it added.
Upon receiving news of the incident on Aug 14, 2017, Spize reached out to US company Novadine, which it had engaged to develop and host its site and online ordering system. Spize requested Novadine to rectify the weakness and the link was disabled.
The link has not been publicly accessible since Aug 16 that same year.
SPIZE NOT ON TOP OF DATA PROTECTION MEASURES
Investigations revealed that Spize had failed to ensure the adoption of "reasonable security arrangements" to prevent such breach of data from occurring.
In the grounds of decision, it was stated that Spize lacked knowledge of the Novadine system - in particular, knowledge that enabling the link could disclose its customers' personal data to the public.
"Based on Spize's responses to the PDPC's queries during investigations, it was apparent that Spize and its managing director, whose account was used to enable the link, did not know about the existence of the link or the consequences of enabling it," it stated.
Spize was also said to have lacked knowledge of the security arrangements that were in place within the Novadine system to protect personal data.
The document stated that Spize's lack of knowledge on how personal data was processed on its behalf by Novadine was caused and/or compounded by the lack of records in its possession.
"The staff previously responsible for documenting Spize's arrangement with Novadine had since left Spize. Spize also did not have any staff responsible to manage the relationship between Spize and Novadine," it said.
The administrator accounts for the system were also found to have insufficient authentication and authorisation measures. In particular, the managing director’s account could be accessed with a basic eight-digit password which was shared among several people and not required to be regularly changed.
As a result, Spize was unable to identify the employee responsible for the data breach.
SPIZE TAKES STEPS TO SAFEGUARD DATA
A number of mitigating factors were taken into consideration by the Commissioner in determining the repercussions for Spize.
Following the incident, it was acknowledged that Spize has since implemented a customised data protection framework and conducted data protection training for its employees. It has also engaged a new IT vendor to change the site, which is to be locally hosted, and online ordering system.
Other factors that were taken into account were Spize's prompt action to inform Novadine to remove the link from public domain as well as the company's cooperation during investigations.
Spize said the incident was “unintentional and was a result of human error”, according to the document. It added that the fine was “a hefty price to pay” as one of its outlets had been ordered shut following a salmonella outbreak last year, and requested a reduction, which was declined.