Telco Singtel has been fined $25,000 for a data breach involving its My Singtel mobile app, according to a decision released on Monday by Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC).
Because of a design problem, My Singtel users could potentially access other customers' accounts, exposing the billing information - including names and addresses - of up to 330,000 subscribers.
Separately, Ninja Logistics - which operates goods delivery start-up Ninja Van - was fined $90,000 for leaving up to 1.26 million individuals' data exposed to website users, in a decision also out on Monday.
From 2016 to last year, users of the order tracking function on Ninja Logistics' website were able to enter a different tracking number and view information, such as names, addresses and signatures, of customers whose parcel delivery statuses were set to "completed".
The PDPC, which acted on a complaint about Ninja Logistics in April last year, noted that there was no evidence that the exposed personal data had been "exfiltrated", or maliciously collected.
Ninja Logistics had also tried - albeit unsuccessfully - to introduce a second layer of authentication by requiring part of a customer's name or mobile number in order to verify the identity of the person using a tracking number.
Still, "it is inexcusable for the organisation to neglect its obligations to implement a workable security arrangement to protect the exposed personal data", the PDPC ruled.
Ninja Logistics said in a statement that its webpage was not hacked and "there is no evidence that personal data from the previous version of the tracking webpage was scraped or harvested".
"We apologise for any distress this incident may have caused and want to reassure our customers and parcel recipients that immediate corrective measures were taken to rectify the matter," it added.
Meanwhile, the Singtel breach came to light through an anonymous tip-off to the PDPC in May 2017, which alleged that communications between the app and Singtel's servers could be manipulated to gain access to other users' accounts. Anyone with working knowledge of how a mobile app communicates with servers could have exploited the vulnerability, and the tools needed to do so are available online, the PDPC said.
"The informant accessed four billing accounts and extracted the customer's name, billing address, billing account number, mobile phone number as well as customer service plans (including data, talk time and SMS usage)," it noted.
"While there was no further evidence of unauthorised access, the personal data of approximately 330,000 of the organisation's customers who were using the mobile app at the material time were put at risk of disclosure."
Though Singtel had hired a third-party vendor for regular security tests on the mobile app and systems, the design flaw that led to the latest data breach was not detected.
Singtel said that the app has been strengthened with "improved data encryption and new standards".
"Additionally, we conduct frequent third-party penetration tests, and comprehensive security awareness and training programmes for our app development teams, to prevent such incidents from recurring," the telco said.