Enforcement case of an Organisation failing to protect the data of its candidates: Actstitude

The procedure to protect personal data requires any system that stores the data to be tested against mistakes in uploading and/or hacking. This would include conducting vulnerability and penetration tests. However, this was not the case in Singapore when an organisation unintentionally exposed the personal data of its candidates.

Actstitude Pte Ltd is a social media marketing agency that maintains a webpage for candidates interested in joining the company to upload their resumes. For every resume uploaded, a file will be created with a Uniform Resource Locator (“URL”) and stored in a database. There were no controls to restrict access to the resume files and the URLs generated by the Organisation could be manipulated to access resume files uploaded by these different individuals. Unaware of the vulnerability, over 160 individuals uploaded their resumes from August 2018 to October 2019.

From its launch on 5 July 2018, Actstitude Pte Ltd did not conduct vulnerability scanning as part of its pre-launch testing; neither was there periodic security reviews conducted. Vulnerability scans offer a reasonable chance of detecting both the lack of access controls and the vulnerability of the URLs to manipulation.

The result of the failure to put in place access controls or to conduct security testing was that Google indexed and disclosed the URLs when a search was made of the names in the uploaded resumes. The URLs could then be manipulated to access the resumes of other individuals. This led to a complaint to the Personal Data Protection Commission.

The Deputy Commissioner for Personal Data Protection ruled that Actstitude did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised disclosure. The organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. Fortunately, in consideration of all the facts, a warning was issued to the Actstitude. No directions were required as the organisation had taken action to address the gaps in its security arrangements.

The key takeaway from this case is that it is crucial to conduct vulnerability scanning as part of pre-launch testing and thereafter, to periodically conduct security reviews including penetration tests as technology and system penetration know-hows develop.

Adapted from:
Breach of the Protection Obligation by Actstitude,
https://www.pdpc.gov.sg/Commissions-Decisions
by Leong Wai Chong, GRCP, CIPM