The Personal Data Protection Commission (PDPC) has issued a S$4,000 fine against a computer service vendor for a programming error that resulted in the disclosure of the personal data of over 400 national servicemen (NSmen) in Jun last year, comprising the NSmen’s login identification, email addresses, delivery addresses and mobile numbers.

Option Gift Pte Ltd, the vendor responsible for handling Uniqrewards – an online portal for NSmen to redeem credits and gifts from the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA) – was found guilty of breaching Section 24 of the Personal Data Protection Act 2012 (PDPA), which stipulates that an organisation must take reasonable security steps or arrangements to prevent unauthorised access or disclosure of personal data under its control or possession.

Through Uniqrewards, NSmen may receive such rewards from MINDEF and MHA for performing well during in-camp training or courses, or to celebrate a significant event such as the birth of their child.

Citing Commissioner Tan Kiat How’s grounds of decision, Deputy Commissioner Yeong Zee Kin stated in a case report on Thu (6 Jun) that Option Gift “had full possession and control over the personal data that the Portal collects, uses, discloses and processes at all material times” as the administrator of Uniqrewards, and thus “had full responsibility for the security of the Portal, any changes to it, as well as the personal data processed by it”.

“In this regard, the Commissioner found that the Organisation had failed to conduct sufficient testing before rolling out the programme script,” he added.

The source of the lapse was traced to an Option Gift employee’s failure to reset a service account password in time according to the password expiry policy of 180 days “due to an oversight and a lack of reminders or warnings” on the expiration deadline. As a result, 427 NSmen did not receive confirmation emails for their redemption requests made between 22 May and 24 May last year.

Upon recognition of the incident on 23 May last year, Option Gift wrote a separate programme script to send out the confirmation emails in a bid to resolve the issue. However, the programme script was found to be faulty, as the programme script retained the email addressses of the recipients of the preceding Confirmation Emails in the “To:” field of the email each time a new Confirmation Email was generated.

“It merely added on the intended recipient’s email address, instead of replacing the previous recipient’s email address with the intended recipient’s,” the report revealed.

“This pattern of addressing the Confirmation Emails continued until the last recipient, who received only the Confirmation Email intended for him,” according to the report.

Following the data disclosure, Option Gift had mailed all the affected NSmen an apology and requested for them to delete all emails addressed by Uniqrewards which were not intended for them and had notified the Commission regarding the incident.

MINDEF and MHA had also respectively issued an apology to the affected NSmen on 13 Jun last year, and had urged the NSmen to delete any emails from Uniqrewards that were not intended for them. A month later, the affected NSmen were given S$80 worth of gift voucher per serviceman as a gesture of apology from Option Gift.

Option Gift has also indicated steps to buttress its security in order to prevent similar incidents in the future, including subjecting future changes in Uniqrewards to secondary checks during the development testing stage, a separate review of source codes written by developers, direct resending of confirmation emails via an enhancement of Uniqrewards’ backend system, and a standard operating procedure to document the process.

Option Gift will also “deploy an application, Sonarcloud, to analyse the quality of source codes. Sonarcloud would be used to detect bugs, vulnerabilities and code smells during the development process,” the report noted.

“In this case, software testing (i.e., development testing and user acceptance testing) was carried out on the programme script prior to its actual implementation. Investigations revealed a fundamental flaw in designing the test scenarios.

“The test scenario consisted of generating all 427 test emails but instead of picking up the recipient emails from a list of email addresses, each email was hardcoded to be sent to the same internal email address.

“Unsurprisingly, the Error, which would only have manifested itself if there was more than one recipient, was not detected,” according to the Commission.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

【选举】行动党竞选宣言 称保障国人工作共渡难关

人民行动党秘书长李显龙宣布竞选宣言,主要专注于协助国人在度过冠状病毒19疫情这一大难关,并喊出口号“守护生命、保障工作、共创未来(Our Lives,Our Jobs,Our Future)”. 李显龙总理今早(6月27日)在行动党脸书专页公布竞选宣言,包括重启经济、推动我国经济转型、保障国人职业、拯救企业及提升员工技能。 他指出,若在平常的大选中,该党的竞选宣言将着重在我国的重大发展项目上,如建设裕廊湖区、樟宜机场第五搭客大厦、年长者医疗保健及增建学前教育等。 “但是,今年大选和以往不同,我国面临着数十年来的最严重危机,我国政府的首要任务就确保能够度过此难关。” 他表示,因此行动党的竞选宣言将焦点放在保障国人和外籍客工们的安全,确保我国医疗体系能够挺过这次的疫情。 他补充道,竞选宣言的重点,也包括为了共同度过目前的不确定性和危机,彼此在互助互爱下应采取的措施。

两车行突倒闭 客户损失33万新元

新加坡消费者协会今日发文告揭发, 两家车行突然倒闭,造成八名客户至少33万新元的损失。 该协会今年9月至10月31日期间,共收到八个有关上述车行倒闭的投诉,有者申诉他们已经签署买二车合同也取了车,但是该车行却没有在陆路交通管理局(LTA)那里更新车子所有权的记录。 还有投诉个案申诉,已经缴了全额,但是两个月后车子所有权都还没转让,且事主已经数次提醒车商。 消费者反映,其中一家车商Universe Motoring已迁离在赛马公会路的商址,另一家车行Karz Automobile也已迁离西海岸大陆原址。 消费者协会在文告中指出,从2018年12月至今年9月,有关车行倒闭的消费者投诉多达26宗,涉及损失额高达82万1504元。 这些消费者指车商保证将在数周内转让二手车所有权,但是却毫无预警地关闭。还有消费者的车子被贷款公司收回,原因是车行还没付清贷款。 消费者协会提醒,即便客户已缴全额给车行,但如果车行未缴清贷款,都可能面对上述窘境。故此,消费者在缴完全额前,应先向车行求证有关车子是否还有拖欠款项。 该协会也呼吁受影响消费者可联系该协会热线:61000315,如怀疑涉及诈欺成分则立即向警方举报。

无法复工企业可获豁免外劳税 发放抵消租金补贴

无法复工的企业,也能获得豁免外国劳工税和提供外劳税回扣。 外劳税豁免期和回扣将延长达两个月。受惠领域将包括建筑业、海事和安岸外作业、加工业等。 此外,王瑞杰称政府将拨款20亿元,为本地中小企业提供现今补贴以抵消租金。 政府将通过产业主,发放用于抵消租金的现金补贴给中小企业租户。加上产业税回扣,预计符合资格的商业租户,能免付约两个月租金。政府将在下月底发放有关补贴。 此外,律政部下周将提呈新法,要求产业主为疫情下深受影响的租户,提供租金减免、暂时取消部分合约条款等。 对于国内许多重要的基设项目如地铁线和公共住房等,仍需继续兴建,为此当局仍会为建筑业者提供协助。政府将和企业共同承担恢复建筑项目的额外开销,包括落实额外安全措施等。

Carrie Lam should announce full withdrawal of extradition Bill: Hong Kong former secretary for transport and housing Anthony Cheung

Hong Kong’s former secretary for transport and housing Anthony Cheung Bing-leung has…