Spize fined $20,000 by privacy watchdog for leak of customer data on online ordering portal

SINGAPORE – Food and beverage outlet operator Spize Concepts has been fined $20,000 by Singapore’s privacy watchdog for the disclosure of customers’ personal data on its online ordering portal.

A total of 148 customers’ personal data, including their names, contact numbers, e-mail and residential addresses, were disclosed on the site on or around Feb 9, 2017.

The Personal Data Protection Commission (PDPC) received a complaint regarding the leak on Aug 12, 2017. Spize was informed of the leak two days later and requested its software provider Novadine to rectify the problem.
The link has not been publicly accessible since Aug 16, 2017, the report said.

The cause of the leak was traced to a user logging onto the managing director’s administrator account and enabling the link containing the personal information to be publicly accessible. The link was intended only for internal use, according to PDPC’s grounds for the decision on Thursday (July 4).

Spize had engaged Novadine, which is based in the US, to develop and host their website and online ordering system around 2012, and personal data collected through the online ordering portal was stored on the provider’s servers.
The privacy watchdog found that Spize had breached section 24 of the Personal Data Protection Act (PDPA), which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps to prevent “unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks”.

The report said that Spize lacked knowledge of the ordering system and the security arrangements in place to protect personal data, and had to rely on the service provider to account for how the data was handled.
Deputy PDPC Commissioner Yeong Zee Kin noted in decision grounds that the company had no password policy when the leak happened, and the password for the managing director’s administrator account was shared among several people at the time of the incident.

This resulted in Spize not being able to identify the employee responsible for enabling public access to the link.

Spize did not have any data protection policies, internal guidelines or accompanying terms and conditions in place when the incident took place, which are required under PDPA regulations.

The company failed to make available on request information about its implemented policies and practices on how Novadine was to process personal data on its behalf, and also did not consider its obligations when transferring personal data outside Singapore.

The deputy commissioner added that the decision took into consideration mitigating factors, such as how Spize has taken steps to implement a customised data protection framework, conduct data protection training for its employees, and put in place proper access controls within the system.

The firm has been directed to put in place a data protection policy and internal guidelines to comply with the provisions of the PDPA and train all employees handling personal data on the obligations of the Act.

In addition, Spize is required to put in place proper access controls for administrator accounts within its ordering systems.