Singtel vendor fined $10k for data breach

Watchdog raps Tech Mahindra for unauthorised changes that leaked a customer's personal data

Singapore's privacy watchdog has fined India-based Tech Mahindra $10,000 for failing to protect the personal details of 2.78 million Singtel customers from unauthorised changes, which inadvertently caused the personal data of one customer to be leaked online.

The Personal Data Protection Commission (PDPC) started investigating Singtel and its technology vendor Tech Mahindra after customers reportedly noticed someone else's NRIC number, account number and billing address on the My Singtel app and the telco's website.

The customer, whose personal data was leaked, had reported having troubles with his OnePass login ID for accessing the My Singtel app and Singtel's website in February last year. OnePass lets users check and pay bills, view data usage and re-contract or purchase a new phone online.

The telco alerted Tech Mahindra to the issue, and the vendor later updated the customer's OnePass profile in the database.

But an erroneous code was introduced, resulting in the profiles of 2.78 million Singtel customers being updated with the personal details of that one customer. The PDPC said that of these customers, 2,518 users viewed the affected user's leaked NRIC number, account number and billing address after logging in using their OnePass ID.

After receiving reports of the breach, Singtel shut down its app and disabled OnePass. The telco also notified the affected customer of the breach.

The PDPC said that Tech Mahindra was acting as a data intermediary for Singtel. But it "failed to make reasonable security arrangements to protect the personal data of Singtel customers that it processed", thus the $10,000 fine.

Organisations flouting the Personal Data Protection Act, in force since July 2014, can be fined up to $1 million.

Singtel, on the other hand, was found to have complied with the law. Specifically, Singtel had put in place a contract requiring Tech Mahindra to comply with the Act.

"Having a contract that sets down the obligations and responsibilities of a data intermediary to protect personal data is a prudent first step for organisations to take," said PDPC.

The telco also has a standard operating procedure, requiring all changes to the database to be tested first before running them.

In addition, Singtel had given Tech Mahindra specific instructions to restrict the database update to one customer's profile, and has yearly security reviews of its OnePass system, website and My Singtel app.

Lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said that commercially, "there would not be anything more that Singtel could have done as well, short of not outsourcing anything".

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on April 18, 2017, with the headline Singtel vendor fined $10k for data breach. Subscribe