In its judgment, the PDPC found that Ascentis failed to disable Peter’s admin account after he left Kyanon and the Starbucks Singapore project. By Ascentis’ own admission, it was responsible for creating and managing admin accounts.
This was made worse by the account not being protected with a sufficiently complex password, said the PDPC.
Ascentis had told the PDPC that the new password met the platform’s password complexity requirements – at least eight characters in length, one upper and one lower case letter, one special character, and not be a repeat of the account’s previous five passwords.
The PDPC reiterated its stance that “mere technical compliance” with password complexity requirements “is not good enough if the password remains guessable”.
In this case, the new password incorporated “Kyanon” and a sequential series of digits.
The PDPC added: “While the immediate cause for the weak new password and insecure sharing of the credentials for Peter’s admin account may have been the Kyanon employees, (Ascentis) could have managed this better by specifying clearer data protection requirements to Kyanon as part of its involvement in the project, including in relation to account management.”
MULTI-FACTOR AUTHENTICATION
The PDPC also gave observations on two other data protection practices that could have prevented the data breach, even if Peter’s admin account was not disabled.
One practice was only assigning rights for an admin account to the necessary employees, and implementing multi-factor authentication for such accounts.
The PDPC said it recognised the business difficulties faced by Ascentis, which had explained that it delayed plans to implement multi-factor authentication due to manpower shortages caused by the COVID-19 pandemic.
However, it added that the implementation could have been given greater priority, considering the volume of personal data stored on the e-commerce platform.
In determining the financial penalty, the PDPC recognised that Ascentis cooperated with investigations, took prompt remedial actions, did not previously breach the Personal Data Protection Act, and voluntarily accepted responsibility for the incident.
The PDPC also said it was satisfied the data breach could not be directly attributed to Starbucks Singapore, since internal lapses by Ascentis had caused the breach.
However, the commission added that Starbucks Singapore “could further improve on the contractual stipulation and handling of its data intermediaries”.
The PDPC has determined that Starbucks Singapore complied with the terms of its voluntary undertaking, it said.
The undertaking involved a remediation plan, including requesting its vendor to implement two-factor authentication and IP address restriction to access the admin portal of the customer database.
DOES NOT STORE CREDIT CARD INFO
When the breach came to light, Starbucks Singapore said in an email sent to customers that it does not store credit card information as per its security data practices.
It also said it implemented additional measures to protect customer information, adding that all stored value, rewards and credits in users’ Starbucks Rewards membership remained intact.
CNA has sought further comments from Starbucks Singapore following the judgment.
In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.