Cellar Door, Web host fined over data protection breach

The Cellar Door has been fined $5,000 for failing to protect the personal data of some of its customers and users from being posted on another website without authorisation.
The Cellar Door has been fined $5,000 for failing to protect the personal data of some of its customers and users from being posted on another website without authorisation.PHOTO: SCREENGRAB OF WWW.THECELLARDOOR.COM.SG

The Cellar Door, a well-known local seller of gourmet products, has been fined $5,000 for failing to protect the personal data of some of its customers and users from being posted on another website without authorisation.

Its website host, Global Interactive Works (GIW), was fined $3,000 by the Personal Data Protection Commission (PDPC). Also, The Cellar Door was ordered to conduct a security audit and patch all identified vulnerabilities on its website.

The move follows a commission probe after unauthorised postings were found on a website known as Pastebin in September 2014 of the personal data of customers and users of The Cellar Door's website.

"Although not all the personal data of the customers of Cellar Door had been disclosed on the Pastebin website, given the inadequacies of (Cellar Door and GIW)'s security measures, the entire customer database was put at risk," said the PDPC in decision grounds issued on Dec 23.

The data included customers' full names, residential phone and addresses as well as e-mail addresses and passwords. The Cellar Door was unaware of the disclosures until it was notified by the commission.

GIW said its engineers were unable to determine why the data was disclosed on Pastebin.

The Personal Data Protection Act obliges an organisation and its data intermediary to make reasonable security arrangements to protect and prevent the illicit access and use of data entrusted to it.

The Cellar Door's website and customer database were hosted on GIW's server, which also provided backup services to which only its staff had access.

"GIW did not put in place adequate security measures when it failed to install a server-side firewall, close unused ports and implement stronger administration passwords," said the PDPC.

But it held that the personal data handled by GIW remained under The Cellar Door's control. Thus the retailer was chiefly responsible for security policies and processes. It did not even have a maintenance contract with GIW, said the PDPC.

"This was unacceptable as it left the system exposed to new vulnerabilities that regular security patching could have addressed."

A version of this article appeared in the print edition of The Straits Times on December 29, 2016, with the headline 'Cellar Door, Web host fined over data protection breach'. Print Edition | Subscribe