Singapore acts after whistleblowers unveil data breaches in Singtel and Ninja Van

The PDPC acted after receiving information from whistleblowers.

Telco Singtel was fined $25,000 after an issue with its My Singtel mobile app, allowed users to other customers’ accounts, exposing the billing information like names and addresses of more than 330,000 subscribers, according to The Straits Times.

PDPC acted after receiving information from a whistleblower in May 2017, who alleged that communications between the app and Singtel’s servers could be manipulated to gain access to other users’ accounts.

It found that anyone with working knowledge of how a mobile app communicates with servers could have exploited the vulnerability, and the tools needed to do so are available online,

“The informant accessed four billing accounts and extracted the customer’s name, billing address, billing account number, mobile phone number as well as customer service plans (including data, talk time and SMS usage),” the PDPC said.

“While there was no further evidence of unauthorised access, the personal data of approximately 330,000 of the organisation’s customers who were using the mobile app at the material time were put at risk of disclosure.”

The PDPC noted that Singtel had hired a third-party vendor for regular security tests on the mobile app and systems. However, the design flaw that led to the data breach was not detected, even though a similar vulnerability had been detected and rectified in 2015 by Singtel.

“Despite having received professional advice to take precautions against such vulnerabilities, the organisation omitted to conduct a full code review…and hence failed to discover (the vulnerability) that was exploited in this case,” the PDPC said.

The PDPC noted that the vulnerability “is a relatively basic design issue and well-known security risk that a reasonable person would have considered necessary to detect and prevent”.

It then decided to fine Singtel as it felt the telco “ought to have been more diligent in performing a thorough assessment” after a similar vulnerability was found in the 2015 security test.

For delivery startup Ninja Van, it was fined $90,000 for leaving up to 1.26 million individuals’ data exposed to website users from 2016 to 2018 after another whistleblower tipped off the PDPC.

This meant users of the order tracking function on Ninja’s website were able to enter a different tracking number and view information, such as names, addresses and signatures, of customers whose parcel delivery statuses were set to “completed”.

However, another 2.6m tracking numbers, had earlier been archived in August 2016, meant that older customers’ data were not affected.

The PDPC noted Ninja Logistics had also unsuccessfully tried to introduce a second layer of authentication by requiring part of a customer’s name or mobile number to verify the identity of the person using a tracking number.

It found that the company did so for about three months after the tracking function was launched in December 2014, but later said that “these methods were not workable” - for example, as customers might forget what name they used for their orders.

However, the PDPC ruled that based on “the foreseeable risk” of using tracking numbers alone to access the tracking function webpage, “it is inexcusable for the organisation to neglect its obligations to implement a workable security arrangement to protect the exposed personal data”.

The PDPC also found that, had Ninja Logistics set a fixed expiry period for tracking number validity after deliveries are completed - which has since been implemented - the risk of unauthorised access and exposure would have been “significantly” reduced.

It said Ninja must now also ensure that tracking numbers expire after a certain time once orders are completed, a time “as reasonably short as possible while meeting business needs.”

Ninja has since apologised for any distress this incident may have caused and reassured its customers and parcel recipients that immediate corrective measures were taken to rectify the matter.

According to the PDPC, the My Singtel app has since been fixed, and the latest version does not have this design issue.

A spokesman for Singtel said that the app has been strengthened with “improved data encryption and new standards” and that it conducts frequent third-party penetration tests, and comprehensive security awareness and training programmes for its app development teams, to prevent such incidents from recurring.

The PDPC previously fined ride-sharing platform Grab $16,000 for leaking its customers' data in email marketing campaigns sent to customers who used its ride-sharing services, GrabCar.