The Data Protection Commission (“the Commission”) has Specialized Asia Pacific Pte. Ltd. (“SAP”) for breach of its data protection obligations under Section 24 of the Personal Data Protection Act (“PDPA”).
Specialized Asia Pacific Pte. Ltd. is a Singapore-based wholesale company specializing in sports products and equipment, including bicycles and medical equipment, founded in 2009.
On January 29, 2021, SAP informed the Commission of a data security breach in connection with the Specialized Cadence Application it had developed, operated and maintained. The application that had a default privacy setting that made any user or developer created data visible to any third party who could use third party security testing software to intercept such data. Due to this standard data protection setting, the personal data of 2,445 people were exposed to the risk of unauthorized access. The personal data included the names, addresses, dates of birth, telephone numbers, email addresses and gender of the users of the application.
As soon as the weak point of the standard setting was identified, SAP immediately remedied it by deactivating access and use of the application by all external parties and changing the data protection setting from “visible” to “hidden”. SAP has also hired a cybersecurity company to review and strengthen their security measures.
Section 24 of the PDPA requires organizations to understand the privacy policies and security features of any online tool or software they choose. When using an online tool or software, an organization must revise the privacy and security settings of such a tool in order to protect personal data in accordance with its data protection obligations under the PDPA. The use of the same standard data protection setting of the online tools does not release an organization from complying with its obligations to protect personal data under Section 24 of the PDPA.
At the end of its investigation, the Commission concluded that, given the circumstances, the risk of personal data disclosure was limited to parties who had the knowledge and understanding to use third-party security testing software to access the personal data concerned that no fines were required. The commission issued a warning against SAP and did not issue any further instructions.