Retailer Courts fined $9k for breaching data protection laws

Electronics and furniture retailer Courts has been fined $9,000 for failing to secure customers' personal details such as names, mobile numbers and addresses, the second time in two years that it has been found to have breached data protection laws.

According to a written decision by the Personal Data Protection Commission (PDPC) published last Friday, a Courts membership programme marketing e-mail sent out on Aug 31 last year exposed the personal data of 76,844 customers to the risk of unauthorised access and modification.

The e-mail contained a link directing customers to the membership portal, where they were supposed to log in and provide their mobile numbers as a form of identification.

But links in previous such e-mails did not require members to log in, and Courts' default website settings failed to take this change into account. This created an issue where if a member clicked on the link to log in and did not log out within 60 minutes, all other members who clicked on the link within the next 60 minutes would be automatically directed to his account.

Financial information was not stored in the system, but members' names, dates of birth, mobile numbers and addresses were at risk of being accessed and modified owing to the breach.

Courts was notified of the breach by a member on the same day, and fixed the issue some 16 hours after the e-mail was sent out, during which time 128 members clicked on the link. The company notified all 128 via e-mail, and also implemented a password verification process in January this year for any changes made to members' account information.

"Courts is fully committed to the protection of customers' personal data. We are regretful that this incident occurred and acted swiftly to contain it within 16 hours, with minimum impact to our customers," a Courts spokesman said yesterday.

"We proactively reported the incident to the PDPC and cooperated fully during its investigation. We accept its decision and, following the incident, we have reviewed our (standard operating procedures) and continue to conduct penetration testing on our website at regular intervals."

PDPC deputy commissioner Yeong Zee Kin said Courts had failed to conduct adequate testing before implementation of the new link, noting that there was only one employee in charge of creating and testing the link.

"The employee conducted a limited test of sending the (e-mail) containing the new (link) to himself... this limited test was clearly inadequate," Mr Yeong said.

"Pre-launch testing of processes or systems needs to mimic expected real world usage... In the present case, the organisation intended to send the (e-mail) to a very large number of members."

Mr Yeong also noted that this was the second time Courts has been found guilty of a data breach, but added that the financial penalty was reduced after consideration of the company's financial circumstances due to the economic fallout from the Covid-19 pandemic.

A version of this article appeared in the print edition of The Straits Times on October 20, 2020, with the headline 'Retailer Courts fined $9k for breaching data protection laws'. Print Edition | Subscribe