Personal Data Protection Commission imposes S$74,000 fine on PPLingo Pte Ltd

25 May 2024

1. On 23 May 2024, the Personal Data Protection Commission ("PDPC") published its decision Re PPLingo Pte Ltd [2023] SGPDPC 12 in which it imposed a financial penalty of S$74,000 on PPLingo Pte Ltd (the "Organisation"). The Organisation, a company operating an online Chinese and English language learning platform that offers virtual classes to students globally (“LingoAce”), was found to be in breach of the Accountability and Protection Obligations under section 11(3) and section 24 of the Personal Data Protection Act 2012 ("PDPA") respectively. The PDPC acceded to the Organisation’s request for the matter to be handled under the expedited breach decision procedure. 

2. This PDPC emphasised the importance of implementing strong password policies, and two-factor or multi-factor authentication as a baseline standard. It also stated that organisations must assess whether enhanced data protection practices described in the PDPC’s guides should be implemented to protect their personal data, having regard to the volume and sensitivity of such personal data and the possible impact of a data breach.

Background Facts

3. This case arose when the Organisation notified the PDPC of an incident involving unauthorised access to personal data contained within its online education platform (the “Incident"). The Organisation’s private forensic expert’s investigations showed that between 26 to 27 April 2022, the threat actor obtained the password of an administrator account of the Organisation’s operations support system (“OPS System’) (“Compromised Admin Account”) via brute force attacks. The password of the Compromised Admin Account was “lingoace123”.

4. The threat actor used the Compromised Admin Account to create several new accounts with administrator privileges to the OPS System and used these accounts to access the personal data of the affected users (i.e. the Organisation’s students, parents, former and current teachers, and other former and current staff). A total number of 557,144 users were affected by the Incident. The types of personal data that were affected included: name, date of birth, mobile phone number, email address, avatar link (including photos, where provided), WhatsApp / WeChat ID, account class credit balance, salary, bank name and account number, signature, Chinese resident identity card number, and labour or independent contractor agreement. There was no evidence of any data modification or exfiltration.

5. Subsequently on 5 May 2022, the threat actor gained unauthorised access to the Organisation’s employees’ email accounts through unidentified means. Through an employee’s email account, the threat actor sent an email to the Organisation informing that he had accessed LingoAce’s platform’s systems and provided the personal data of several affected users as proof. However, the threat actor did not follow up with any further communications or demands. 

6. Following the Incident, the Organisation implemented various measures to mitigate the Incident and prevent recurrence or similar incidents. These included: inspecting servers related to the OPS System to detect any further intrusion, resetting passwords of all administrator accounts and removing unnecessary administrator accounts, implementing two-factor authentication for email accounts and all accounts accessing the OPS System and other related systems connected to the LingoAce platform, implementing enhanced password strength/complexity requirements for accounts accessing the OPS System, and appointing a data protection officer (“DPO”) and enhanced its internal security and data protection training programme.

PDPC’s Findings

7. In light of the circumstances of the case, the PDPC found the Organisation to be in breach of the Accountability and Protection Obligations under sections 11(3) and 24 of the PDPA respectively. 

Breach of the Protection Obligation

8. The PDPC highlighted that in light of the high volume and sensitivity of the personal data held within the OPS System (including financial information and the personal data of students / minors), the Organisation was responsible for implementing an appropriately robust level of security arrangements in order to meet its Protection Obligation.

     Inadequate password policy

9. As part of this obligation, organisations must adopt, implement, and enforce a strong password policy. Basic authentication and authorisation processes organisations must implement include: a password policy that mandates a minimum level of password complexity, and a fixed period of password validity or regular change of passwords. 

10. However, the Organisation failed to have any password policy in place for the Compromised Admin Account, other than requiring a minimum length of 8 characters for passwords. As the Compromised Admin Account granted privileged access to the Organisation’s OPS System, this was an inadequate security arrangement to safeguard the personal data in the OPS System.

11. The Compromised Admin Account’s password “lingoace123” was in use since the commencement of the OPS System in March 2020 and remain unchanged prior to the Incident. Additionally, the Organisation failed to implement requirements to provide for an adequate level of password complexity. This would have contributed to the ease of brute force attempts by the threat actor. It was found that the password for the Compromised Admin Account did not meet typical industry best practices for password strength, in terms of appropriate length, and combination of numbers, symbols, and/or uppercase and lowercase characters.

     Guessable phrases / components in the password

12. The PDPC found “lingoace123” to be a weak password given that it incorporated the Organisation’s name and a common sequence of numbers. Such passwords would be vulnerable to brute force attacks. The inadequacy of such passwords had been made clear in the past case of Re Chizzle Pte Ltd [2020] SGPDPCR1 and repeated in the PDPC’s Guide to Data Protection Practices for ICT Systems (“ICT Guide”). In particular, the use of an organisation’s name as a component of the password is not recommended.

13. For the reasons above, the Organisation was found to have negligently breached the Protection Obligation by failing to implement adequate security arrangements in respect to the Compromised Admin Account.

     Two-factor / Multi-factor authentication

14. At the time of the Incident, the Organisation did not have in place a policy requiring two-factor or multi-factor authentication in respect of the Compromised Admin Account. In Lovebonito Singapore Pte Ltd [2022] SGPDPC 3 (“Lovebonito”), the PDPC stated that two-factor or multi-factor authentication was a baseline requirement for administrative accounts to systems holding personal data of a confidential / sensitive nature or large volumes of personal data, among other things. However, However, the Incident happened shortly before the publication of PDPC’s Lovebonito decision. As such, the PDPC did not take this into account as a basis for breach of the Protection Obligation. 

15. The PDPC stated that due to the wider availability of two-factor or multi-factor authentication at lower cost, organisations should expect the baseline standard described in Lovebonito to increase. An organisation that chooses not to implement them will have to explain why this is reasonable, considering for example, costs, circumstances, and level of data protection risks.

16. Separately, the PDPC noted that in its ICT Guide, it has recommended two tiers of (i) basic and (ii) enhanced data protection practices for organisations to adopt in different circumstances. Although the Organisation was not penalised for not implementing the enhanced practices provided therein, the PDPC observed that implementing other enhanced data protection practices in the PDPC’s handbook on How to Guard against Common Types of Data Breaches could have prevented or slowed down brute force attacks. The PDPC made clear that organisations must assess whether to implement the enhanced data protection practices, having regard to the volume and sensitivity of the personal data and the possible impact of a data breach.

Breach of the Accountability Obligation

     Failure to appoint a DPO

17. It was found that the Organisation did not appoint a DPO since its incorporation in 2016. This is a basic requirement of the PDPA. A DPO plays a vital role in ensuring an organisation’s compliance with the PDPA, and the proper implementation of data protection policies and practices. The Organisation appointed a DPO only after the Incident on 18 May 2022. 

18. In light of the facts, it was held that the Organisation had negligently breached the Accountability Obligation for failing to designate a DPO.

19. The Organisation also failed to conduct regular specific security reviews on whether the AWS keys had been properly rotated or deleted. Such a review could have covered and detected whether the AWS Key remained active or had been used after the out-of-cycle key rotation and during the period preceding the Incident.

PDPC’s Decision

1. The Organisation had been negligent in not complying with the Protection Obligation and Accountability Obligation.
2. The Incident involved a high volume of personal data. The type of datasets affected were of a higher sensitivity as they included financial personal data and the personal data of approximately 303,238 minors.
3. There was no evidence of any exfiltration or misuse of the personal data of the affected users.
4. The Organisation took prompt remedial actions in response to the Incident, including notifying the affected users. 
5. The Organisation voluntarily admitted that it had breached the Accountability Obligation and the Protection Obligation. Its early admission of liability was a significant mitigating factor.
6. The Organisation was cooperative during investigations.

21. The PDPC note that the Organisation’s early admission of liability was a significant mitigating factor. An organisation that voluntarily accepts responsibility for its non-compliance is one that demonstrates its commitment to its obligations under the PDPA and shows that it can be responsible for the personal data in its possession or under its control. 

22. Upon the PDPC’s preliminary decision to impose a financial penalty of S$74,000 on the Organisation, the Organisation made representations which sought a financial penalty of no more than S$35,000:

1. The Organisation had spent significant capital on its remedial action and wanted to implement further improvements of IT systems and processes, any reduction of the financial penalty could be used to fund these further improvements.
2. The Organisation had made voluntary notifications regarding the Incident to other data protection authorities in over 40 other affected locations, in full compliance with its obligations globally. Such other data protection authorities may also impose financial penalties on the Organisation. Hence, to avoid “double counting”, the PDPC should only consider the Singapore-based individuals when assessing the total number of affected individuals. 
3. Lower financial penalties had been imposed in previous decisions involving similarly high volumes of personal data.

23. The PDPC rejected the Organisation’s representations for the following reasons:

1. Under Section 11(2) of the PDPA, the Organisation is responsible for all personal data in its possession or under its control. This is not limited to the personal data of affected individuals located within Singapore.
2. The PDPC’s enforcement jurisdiction is not constrained by potential enforcement proceedings abroad. The Organisation has not shown how there would be any “double counting” in any case. As a matter of principle, an argument that the amount that goes towards payment of a financial penalty could be spent on further improvements is not relevant. 
3. Every case is decided on its specific facts. In the present case, the Organisation had committed two contraventions of the PDPA, and a large volume of minors’ personal data was affected which distinguished it from the cases cited.

Commentary

24. This decision highlights the importance of implementing strong password policies as a basic security measure to ensure that IT systems are not vulnerable to common hacking attempts such as brute force attacks. In particular, this decision is a salient reminder not to use the organisation’s name as a main component in its passwords.

25. Multi-factor authentication should be implemented as a default, in particular for administrative / privileged accounts to systems that hold personal data of a confidential or sensitive nature, or large volumes of personal data (especially where there is remote access), as well as for other IT systems where this is available out-of-the-box. If an organisation chooses not to implement multi-factor authentication, it should document its reasons for this assessment and be prepared to explain why this is reasonable.

26. Organisations must also assess whether the enhanced data protection practices described in the PDPC’s guides should be implemented to protect their personal data, having regard to the nature of the personal data in their possession or under their control and the possible impact of a data breach.

27. The PDPC had also clarified the relevance of various factors when assessing its enforcement action against an organisation, as discussed in paragraph 23 above. It is not relevant that the amount that goes towards payment of a financial penalty could be spent on further improvements. The obligations under the PDPA are not limited to personal data of Singapore-based individuals, and the PDPC’s enforcement jurisdiction is not constrained by potential enforcement proceedings abroad.

28. We will continue to monitor developments in this area.

This newsflash is intended to provide general information and may not be reproduced or transmitted in any form or by any means, in whole or by part, without prior written approval. It is not intended to be a comprehensive study of the subjects covered, nor is it intended to provide any legal advice. It should not be treated as a substitute for specific advice on specific situations.