SINGAPORE - Telco Singtel has been fined $25,000 for a data breach involving its My Singtel mobile app, according to a decision released on Monday (Nov 4) from the Personal Data Protection Commission (PDPC), Singapore’s official privacy watchdog and enforcer of the Personal Data Protection Act.

Because of a design problem, My Singtel users could potentially access other customers’ accounts, exposing the billing information - including names and addresses - of up to 330,000 subscribers.

Separately, Ninja Logistics - which operates goods delivery startup Ninja Van - was fined $90,000 for leaving up to 1.26 million individuals’ data exposed to website users, in a decision also out on Monday.

From 2016 to 2018, users of the order tracking function on Ninja Logistics’s website were able to enter a different tracking number and view information, such as names, addresses and signatures, of customers whose parcel delivery statuses were set to “completed”.

Another 2.6 million tracking numbers had earlier been archived in August 2016, which removed those older customers’ data from view.

Ninja Logistics must now also ensure that tracking numbers expire after a certain time once orders are completed - a time “as reasonably short as possible while meeting business needs”, the PDPC ruled.

The PDPC, which acted on a complaint about Ninja Logistics in April 2018, noted that there was no evidence that the exposed personal data had been “exfiltrated” or maliciously collected.

Related Story Ikea says sorry for customer data breach

Related Story 5 firms fined over data breaches

Related Story Virtual telco fined $4,000 for data breach

Related Story Singtel app down after software glitch shows details of customer

Ninja Logistics had also tried - albeit unsuccessfully - to introduce a second layer of authentication by requiring part of a customer’s name or mobile number to verify the identity of the person using a tracking number.

The company did so for about three months after the tracking function was launched in December 2014, but later said that “these methods were not workable” - for example, as customers might forget what name they used for their orders.

Still, based on “the foreseeable risk” of using tracking numbers alone to access the tracking function webpage, “it is inexcusable for the organisation to neglect its obligations to implement a workable security arrangement to protect the exposed personal data”, the PDPC ruled.

The PDPC also found that, had Ninja Logistics set a fixed expiry period for tracking number validity after deliveries are completed - which has since been implemented - the risk of unauthorised access and exposure would have been “significantly” reduced.

Ninja Logistics said in a statement that its webpage was not hacked and “there is no evidence that personal data from the previous version of the tracking webpage was scraped or harvested”.

There is a limit on how many times a single user can try to retrieve parcel details and, based on its records, there have been no anomalies in access patterns, the company said.

“We apologise for any distress this incident may have caused and want to reassure our customers and parcel recipients that immediate corrective measures were taken to rectify the matter,” it added.

The company cited changes such as not letting parcels be tracked two weeks after delivery, and removing recipients’ names and signatures from its webpage from mid-October 2019.

Meanwhile, the Singtel breach came to light through an anonymous tip-off to the PDPC in May 2017, which alleged that communications between the app and Singtel’s servers could be manipulated to gain access to other users’ accounts.

Anyone with working knowledge of how a mobile app communicates with servers could have exploited the vulnerability, and the tools needed to do so are available online, the PDPC said in its decision.

“The informant accessed four billing accounts and extracted the customer’s name, billing address, billing account number, mobile phone number as well as customer service plans (including data, talk time and SMS usage),” the PDPC noted.

“While there was no further evidence of unauthorised access, the personal data of approximately 330,000 of the organisation’s customers who were using the mobile app at the material time were put at risk of disclosure.”

The PDPC found that Singtel - which faced a maximum penalty of $1 million - had “failed to put in place reasonable security arrangements” to protect customers’ personal data, although the decision document also said that the PDPC went with a smaller penalty “given that the exploitation of the vulnerability requires some level of technical expertise”.

Singtel had hired a third-party vendor for regular security tests on the mobile app and systems. But the design flaw that led to the latest data breach was not detected - even though a similar vulnerability had been detected and rectified in 2015, two years earlier.

“Despite having received professional advice to take precautions against such vulnerabilities, the organisation omitted to conduct a full code review…and hence failed to discover (the vulnerability) that was exploited in this case,” the PDPC said.

The PDPC noted that the vulnerability “is a relatively basic design issue and well-known security risk that a reasonable person would have considered necessary to detect and prevent”.

It found that Singtel “ought to have been more diligent in performing a thorough assessment” after a similar vulnerability was found in the 2015 security test.

The My Singtel app has since been fixed, and the latest version does not have this design issue, according to the PDPC’s report.

When contacted, a spokesman for Singtel said that the app has been strengthened with “improved data encryption and new standards”.

“Additionally, we conduct frequent third-party penetration tests, and comprehensive security awareness and training programmes for our app development teams, to prevent such incidents from recurring,” she said.