Failure to Protect Data of Candidates: Enforcement Case

Enforcement case of an Organisation failing to protect the data of its candidates: Actstitude

22 Sep, 2020

The procedure to protect personal data requires any system that stores the data to be tested against mistakes in uploading and/or hacking. This would include conducting vulnerability and penetration tests. However, this was not the case in Singapore when an organisation unintentionally exposed the personal data of its candidates.

Actstitude Pte Ltd is a social media marketing agency that maintains a webpage for candidates interested in joining the company to upload their resumes. For every resume uploaded, a file will be created with a Uniform Resource Locator (“URL”) and stored in a database. There were no controls to restrict access to the resume files and the URLs generated by the Organisation could be manipulated to access resume files uploaded by these different individuals. Unaware of the vulnerability, over 160 individuals uploaded their resumes from August 2018 to October 2019.

From its launch on 5 July 2018, Actstitude Pte Ltd did not conduct vulnerability scanning as part of its pre-launch testing; neither was there periodic security reviews conducted. Vulnerability scans offer a reasonable chance of detecting both the lack of access controls and the vulnerability of the URLs to manipulation.

The result of the failure to put in place access controls or to conduct security testing was that Google indexed and disclosed the URLs when a search was made of the names in the uploaded resumes. The URLs could then be manipulated to access the resumes of other individuals. This led to a complaint to the Personal Data Protection Commission.

The Deputy Commissioner for Personal Data Protection ruled that Actstitude did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised disclosure. The organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. Fortunately, in consideration of all the facts, a warning was issued to the Actstitude. No directions were required as the organisation had taken action to address the gaps in its security arrangements.

The key takeaway from this case is that it is crucial to conduct vulnerability scanning as part of pre-launch testing and thereafter, to periodically conduct security reviews including penetration tests as technology and system penetration know-hows develop.

Adapted from:
Breach of the Protection Obligation by Actstitude,
by Leong Wai Chong, GRCP, CIPM

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
Recommendations of Public Sector Data Security Re…

In the wake of major breaches, the Public Sector Data Security Review Committee…

Care in Using Zoom Video Conferencing

Wikipedia tells us that Zoom Video Communications was founded in 2011 by Eric Y…

Did you know that Facebook can track your online …

Businesses usually set up websites and provide apps because they want to sell g…