[BreachExchange] Singtel and Ninja Logistics fined for Data Breach

[Destry Winant]

https://www.tnp.sg/news/singapore/singtel-and-ninja-logistics-fined-data-breach

Telco Singtel has been fined $25,000 for a data breach involving its
My Singtel mobile app, according to a decision released on Monday by
Singapore's privacy watchdog, the Personal Data Protection Commission
(PDPC).

Because of a design problem, My Singtel users could potentially access
other customers' accounts, exposing the billing information -
including names and addresses - of up to 330,000 subscribers.

Separately, Ninja Logistics - which operates goods delivery start-up
Ninja Van - was fined $90,000 for leaving up to 1.26 million
individuals' data exposed to website users, in a decision also out on
Monday.

>From 2016 to last year, users of the order tracking function on Ninja
Logistics's website were able to enter a different tracking number and
view information, such as names, addresses and signatures, of
customers whose parcel delivery statuses were set to "completed".

The PDPC, which acted on a complaint about Ninja Logistics in April
last year, noted that there was no evidence that the exposed personal
data had been "exfiltrated" or maliciously collected.

Ninja Logistics had also tried - albeit unsuccessfully - to introduce
a second layer of authentication by requiring part of a customer's
name or mobile number to verify the identity of the person using a
tracking number.

Still, "it is inexcusable for the organisation to neglect its
obligations to implement a workable security arrangement to protect
the exposed personal data", the PDPC ruled.

Meanwhile, the Singtel breach came to light through an anonymous
tip-off to the PDPC in May 2017, which alleged that communications
between the app and Singtel's servers could be manipulated to gain
access to other users' accounts.

Anyone with working knowledge of how a mobile app communicates with
servers could have exploited the vulnerability, the PDPC said.

"The informant accessed four billing accounts and extracted the
customer's name, billing address, billing account number, mobile phone
number as well as customer service plans (including data, talk time
and SMS usage)," it noted.

"While there was no further evidence of unauthorised access, the
personal data of approximately 330,000 of the organisation's customers
who were using the mobile app at the material time were put at risk of
disclosure."

Singtel had hired a third-party vendor for regular security tests on
the mobile app and systems. But the design flaw that led to the latest
data breach was not detected - even though a similar vulnerability had
been detected and rectified in 2015.