Singtel & Ninja Van Fined More Than S$25,000 For Exposing Data

On Tuesday (5 Nov), The Straits Times reported that two local companies – Ninja Logistics, which operates Ninja Van, and Singtel – were fined for not properly safeguarding their customers’ personal information.

Source

Singtel and Ninja Van were fined S$25,000 and S$90,000 respectively on Monday (4 Nov), by the Personal Data Protection Commission (PDPC).

Singtel customers’ address & billing information exposed

Due to a design fault, My Singtel users could log in to other users’ accounts.

The fault apparently came to light in May 2017 when PDPC received an anonymous tip-off about how communications between My Singtel and Singtel’s servers could be interrupted to gain access to other people’s accounts.

According to PDPC, “the informant accessed four billing accounts and extracted the customer’s name, billing address, billing account number, mobile phone number as well as customer service plans.”

PDPC added that Singtel could have faced a maximum fine of $1 million. But because the hack was difficult to carry out, the lapse was seen as less severe, and so too the accorded penalty.

Ninja Logistics did not delete old tracking orders

On the other hand, Ninja Logistics left 1.26 million customers’ data exposed through their order tracking function between 2016 and 2018.

Users could reportedly enter a different order tracking number to view details of the other customers with completed orders, including their names, addresses and signatures.

Source

PDPC said this could have easily been avoided if Ninja Logistics had set an expiry date on their tracking orders.

Data was not leaked on both sites, thankfully

Fortunately, Ninja Logistics clarified that their website was not hacked and there were no evidence of personal data being harvested.

Source

Separately, PDPC noted that there was no evidence of unauthorised access to Singtel customers’ accounts. My Singtel app has since been fixed to prevent similar incidences in future.

Both companies have since fixed those issues.

Thankfully, no data was stolen. These incidents go to show how a small lapse can lead to potentially great consequences. So hopefully, companies will take extra precaution when it comes to handling sensitive customer information.

Feature images adapted from CapitaLand and Flickr.