Courts fined $9,000 for second data breach in two years

A Courts membership programme marketing e-mail sent out on Aug 31, 2019, exposed the personal data of 76,844 customers.
A Courts membership programme marketing e-mail sent out on Aug 31, 2019, exposed the personal data of 76,844 customers.ST PHOTO: DESMOND FOO

SINGAPORE - Electronics retailer Courts has been fined $9,000 for failing to secure customers' personal details such as names, mobile numbers and addresses, the second time in two years that it has been found to have breached data protection laws.

According to a written decision by the Personal Data Protection Commission (PDPC) published last Friday (Oct 16), a Courts membership programme marketing e-mail sent out on Aug 31 last year exposed the personal data of 76,844 customers to the risk of unauthorised access and modification.

The e-mail contained a link directing customers to the membership portal, where they were supposed to log in and provide their mobile numbers as a form of identification.

But links in previous such e-mails had never required members to log in, and Courts' default website settings failed to take this change into account.

This created an issue where if a member clicked on the link to log in and did not log out within 60 minutes, all members who subsequently clicked on the link within the next 60 minutes would be automatically directed to his account.

Financial information was not stored in the system, but members' name, date of birth, mobile phone number and address were at risk of being accessed and modified owing to the breach.

Courts was notified of the breach by a member on the same day, and fixed the issue some 16 hours after the e-mail was sent out, during which time 128 members clicked on the link. The company notified all 128 via e-mail, and also implemented password verification in January this year for any changes made to members' account information .

“Courts is fully committed to the protection of customers’ personal data. We are regretful that this incident occurred and acted swiftly to contain it within 16 hours with minimum impact to our customers,” a spokesman said.

“We proactively reported the incident to the PDPC and cooperated fully during its investigation. We accept its decision and following the incident, we have reviewed our (standard operating procedures) and continue to conduct penetration testing on our website at regular intervals.”

PDPC deputy commissioner Yeong Zee Kin said Courts had failed to conduct adequate testing before implementation of the new link, noting that there was only one employee in charge of creating and testing the link.

"The employee conducted a limited test of sending the (e-mail) containing the new (link) to himself... This limited test was clearly inadequate," Mr Yeong said. "Pre-launch testing of processes or systems needs to mimic expected real world usage... In the present case, the organisation intended to send the (e-mail) to a very large number of members."

Mr Yeong also noted that this was the second time Courts has been found guilty of a data breach, but added that the financial penalty was reduced after consideration of the company's financial circumstances due to the unprecedented challenges faced by businesses amid the current Covid-19 pandemic.

The company was fined $15,000 in January last year for a vulnerability in its website that potentially exposed a member's contact number and address to anyone who entered the member's name and e-mail address on Courts' guest log-in page.

In other decisions released last Friday, Tanah Merah Country Club was fined $4,000 for sending out unauthorised spam e-mails through its electronic direct mail system, which was poorly secured.