17 July 2023

Fullerton Healthcare Group Pte Limited and Agape CP Holdings Pte. Ltd. [2023] SGPDPC 5

Background

On 19 October 2021 and 21 October 2021, Fullerton Healthcare Group Pte Limited (“FHG”) and Agape CP Holdings Pte. Ltd. (“Agape”) respectively notified the Personal Data Protection Commission (“PDPC”) that the personal data of FHG’s customers had been accessed, exfiltrated, and offered for sale on the dark web (“Incident”).

FHG and Agape requested for the investigations to be handled under the PDPC’s Expedited Decision Procedure. Accordingly, FHG and Agape admitted that they had failed to implement reasonable security arrangements to protect the personal data accessed and exfiltrated in the Incident in breach of Section 24 of the Personal Data Protection Act 2012 (“PDPA”) (“Protection Obligation”).

FHG is an enterprise healthcare service provider which provides healthcare services to individuals and employees of its corporate clients. In 2018, FHG engaged Agape, a business process outsourcing provider and social enterprise, to provide call centre and appointment booking services for its customers (“Services”). As part of its social enterprise initiatives, Agape engaged inmates from Changi Women’s Prison (“Agents”) to assist in provision of the Services for FHG’s customers.

In order to carry out the Services, FHG provided Agape with access to the personal data of its customers via Microsoft SharePoint, a cloud-based document management system. A single Agape personal computer (“Computer”) was authorised to access FHG’s SharePoint’s platform via an FHG-assigned SharePoint account.

In order to facilitate Agents’ access to FHG’s customer data from within Changi Women’s Prison, Agape downloaded FHG’s customer data onto the Computer, and re-uploaded the customer data onto an internet-facing file server (“Online Drive”). The Online Drive was then white-listed for access by Agents from within Changi Women’s Prison.

On 15 October 2021, FHG became aware that its customer data was being offered for sale on a dark web forum. FHG engaged cybersecurity consultants to investigate. On 18 October 2021, FHG’s cybersecurity consultants made contact with the purported seller who claimed that he had exfiltrated FHG’s customer data from Agape’s Online Drive. By 22 October 2021, the post on the dark web forum advertising the sale had been removed.

FHG’s cybersecurity consultants confirmed that the Incident solely involved and affected Agape’s Online Drive. FHG’s own systems and servers were not affected by the Incident. The personal data of 156,900 FHG customers was accessed without authorisation in the Incident, and included the following datasets: name, NRIC number / FIN, date of birth, gender, e-mail address, telephone number, financial information (bank account numbers and bank codes) and health information (“Customer Data”).

Remedial actions

As part of remedial measures following the Incident, FHG informed affected clients and individuals promptly via SMS, e-mail, and an FAQ page on FHG’s website, advising on appropriate steps which could be taken to guard against potential risks. FHG also engaged Credit Bureau (Singapore) Pte Ltd to provide free credit monitoring services to affected individuals for six months.

Agape suspended the use of the Online Drive with effect from 19 October 2021, and, with the assistance of a forensic team, conducted internal checks on the Computer and Online Drive for other indicators of compromise.

FHG, in coordination with Agape, also:

  1. restricted Agape’s access to its SharePoint to “view-only”;
  2. deleted SharePoint files and folders that Agape did not need as part of data minimisation efforts;
  3. ceased synchronisation of data between SharePoint and the Computer;
  4. changed all passwords for Agape’s access to FHG’s SharePoint; and
  5. deleted the Customer Data from the Online Drive upon completion of Agape’s investigations into the Incident.

Whether Agape had contravened the Protection Obligation

As a data intermediary of FHG, Agape is subject to the Protection Obligation pursuant to Section 4(2) of the PDPA. The PDPC found that Agape had breached the Protection Obligation as: (a) Agape failed to conduct reasonable periodic security reviews; and (b) Agape had inadequate password policy and management.

Firstly, the PDPC highlighted the need for organisations to conduct periodic security reviews of their IT systems. Such reviews enable organisations to detect vulnerabilities, assess security implications and risks, and ensure that reasonable security arrangements are implemented to eliminate or mitigate such risks. While Agape had carried out periodic security reviews, these reviews failed to cover the Internet-facing Online Drive. At the time of the Incident, the password for Agape’s Online Drive had been inadvertently disabled for 20 months, the cause of which could not be established. This caused the Online Drive to become an open directory listing on the Internet with no password protection, and highly vulnerable to unauthorised access, modification, and similar risks over an excessive period of time. The PDPC found that if Agape’s periodic reviews had been properly scoped to cover all of the IT components under its Services rendered to FHG (including the Online Drive), this lapse could have been detected and rectified timeously.

Secondly, Agape admitted that prior to the password being disabled in December 2019, the password had been shared by Agents to access the Online Drive. The PDPC highlighted the data protection risks associated with multiple users sharing a common password, including greater risks of unauthorised access by ex-staff and inadvertent disclosure to threat actors through social engineering. The use of a common password among all Agents was exacerbated by the fact that there was no expiry date set for the password. The PDPC found that the failure to implement and enforce reasonable password management policies increased the vulnerability of the Customer Data on the Online Drive to unauthorised access and other similar risks, even before the password had been disabled.

Whether FHG had contravened the Protection Obligation

Under Section 4(3) of the PDPA, an organisation that engages a data intermediary to process personal data on its behalf bears the same obligations under the PDPA as if the personal data was processed by the organisation itself. This is so even where the organisation engages the data intermediary to implement the necessary data protection measures in relation to the personal data.

The PDPC highlighted that in the context of an organisation’s relationship with its data intermediary, the organisation (i.e. the data controller) has a supervisory role for the protection of the personal data, while the data intermediary has a more direct and specific role in the protection of personal data arising from its direct possession or control over the personal data. This means that a data controller may be found in breach of the Protection Obligation, even though its data intermediary may not be found in breach, and vice versa.

The PDPC found that FHG had breached the Protection Obligation by: (a) having failed to exercise reasonable oversight over Agape; and (b) for the unnecessary disclosure of sensitive personal data.

Failure to exercise reasonable oversight of vendor

In this case, FHG engaged Agape as its data intermediary to carry out the Services using the personal data provided by FHG and was required to exercise reasonable oversight of Agape’s data processing activities.
The PDPC considered that FHG had conducted a high-level IT due diligence review of Agape prior to its decision to engage Agape as a vendor, and that FHG’s written agreement with Agape required Agape to comply with the PDPA, including the Protection Obligation. However, the PDPC found that FHG failed to exercise reasonable oversight through regular monitoring of Agape’s personal data handling processes throughout the engagement, including how Agape stored and granted Agents’ access to the Customer Data.

Given that FHG was aware that access to the Customer Data would have to be granted to a third party based off-site for the provision of the Services, FHG should have made reasonable enquiries to ascertain how the Customer Data was to be stored and transmitted, and how access to the Customer Data would be controlled. The PDPC found that had FHG made these enquiries and discovered the true state of affairs, they would have no doubt required Agape to implement stricter controls to regulate Agents’ access and use of the Customer Data. By failing to make such enquiries, FHG failed to appreciate the reality of how Agape was storing, transmitting, and retaining the Customer Data, and failed to exercise reasonable oversight over Agape’s data processing activities.

Unnecessary disclosure of sensitive personal data

Further, the PDPC found that FHG inadvertently disclosed personal data only intended for its employees’ internal use onto the SharePoint system shared with Agape, which included sensitive financial information and health information not required by Agape for the performance of its Services. This inadvertent disclosure ultimately led to a greater loss of personal data during the Incident.

The PDPC stated that when an organisation discloses more personal data than is needed for its purposes, this creates unnecessary data security risks, particularly where such data is more sensitive in nature. Accordingly, the PDPC highlighted that it should be a basic data protection practice for organisations to collect, use, or disclose only the least sensitive types of personal data if different types of personal data can be used to achieve the same purpose.

The PDPC found that FHG should have implemented robust measures to ensure that only personal data necessary for performance of the Services was shared with Agape, and specifically, that sensitive personal data was not inadvertently disclosed.

The PDPC’s decision

In determining whether any directions should be imposed on FHG and Agape, and whether FHG and Agape should be required to pay a financial penalty under Section 48J of the PDPA, the PDPC considered the factors set out in Section 48J(6) of the PDPA and the following mitigating factors:

  1. FHG and Agape were cooperative during the investigations;
  2. FHG and Agape voluntarily admitted to their breaches of the Protection Obligation under the PDPC’s Expedited Decision Procedure; and
  3. FHG and Agape took prompt remedial actions following the discovery of the Incident.

The PDPC found that while Agape’s breaches of the Protection Obligation were more causally proximate to the unauthorised access and disclosure of personal data in the Incident, FHG’s inadvertent disclosure of financial and health-related data exacerbated the Incident’s impact. Further, as the data controller, FHG bore the ultimate responsibility to exercise due diligence and reasonable supervision over Agape.

In assessing the quantum of financial penalty that would be proportionate and effective as a deterrent, the PDPC also considered that FHG’s annual turnover was almost 50 times higher than that of Agape’s. However, no weight was placed on Agape’s status as a social enterprise. The PDPC highlighted that the standard of security arrangements expected under the Protection Obligation will depend on the volume and nature of personal data in the organisation’s possession or control, regardless of whether the organisation is a for-profit business, a charity, or a social enterprise.

Accordingly, the PDPC imposed a financial penalty of S$58,000 on FHG and S$10,000 on Agape. The PDPC also issued directions to FHG and Agape to ensure that they comply with the Protection Obligation.

Concluding remarks 总结

An organisation that engages a data intermediary to process personal data on its behalf should be mindful that it bears the same obligations under the PDPA as if the personal data was processed by the organisation itself, even where it engages the data intermediary to implement the necessary data protection measures in relation to the personal data. Further, such an organisation should exercise reasonable oversight over the data intermediary and implement robust measures to prevent the unnecessary disclosure of personal data.

聘用专业中介代其处理个人数据的数据控制组织机构应当注意,即使自己已经聘请了专业数据处理中介来落实必要的个人数据保护措施, 该数据控制组织机构在《新加坡个人数据保护法令》(简称 “PDPA”)法规下所需承担的最终的法定义务,与其自行处理个人数据时所须承担的义务一致,即不会因为外包给专业中介而减轻数据控制组织机构在PDPA下的法定义务。此外,数据控制组织机构有义务对专业数据处理中介进行合理监督,并采取严格有力的措施以确保仅仅向这些外包专业中介披露必要的个人数据,以防止不必要地个人数据的无意义披露给中介。

Organisations that deal with personal data should also conduct periodic security reviews of their IT systems and put in place adequate password policies and management systems to mitigate data protection risks.
处理个人数据的组织机构也应当定期对其IT系统进行安全审查,并制定充分适当的密码管理政策以降低个人数据泄露风险。