Tech Mahindra Fined for Leaking Singtel DataAuthorities Say Company Failed to Protect Information on 2.78 Million Singtel Customers
Singapore's Personal Data Protection Commission has fined India-based IT services firm Tech Mahindra S$10,000 for failing to protect the personal details of 2.78 million customers of one of its clients, Singtel, Singapore's largest telecom company.
PDPC administers the Personal Data Protection Act 2012 in Singapore and aims to safeguard individuals' personal data against misuse and promote proper management of personal data in organizations (see: Singapore Mulling Data Privacy Legislation)
According to PDPC, the investigations began in 2016, after Singtel customers noticed other people's personal details, including NRIC (alphanumeric identity code used by citizens in Singapore) number and account number, on the company's website and on the My Singtel mobile application.
"Singtel's investigations disclosed that it is due to application security lapse, as the software development lifecycle was not properly followed," says Yeong Zee Kin, deputy commissioner at PDPC.
Tech Mahindra declined comment on this finding, telling Information Security Media Group: "Tech Mahindra is complying with the Personal Data Protection Commission's findings. We are unable to share any further information due to confidentiality agreement with the client."
The Modus Operandi
According to details released by PDPC, the genesis of the matter can be traced to when Singtel and Tech Mahindra sought to rectify an issue with an affected customer's ONEPASS account on February 26, 2016. ONEPASS account is a single window to access all Singtel's services.
Tech Mahindra subsequently determined that an update was needed to the affected customer's profile on the ONEPASS database, and it executed a database script to update the profile. However, on February 29, 2016, Singtel received several reports from ONEPASS users complaining that their profiles had been modified to reflect that affected customer's personal details.
A total of 2.78 million ONEPASS users' accounts were affected, out of which 2,518 users had viewed the affected customer's NRIC number through the MySingtel Application, leading Singtel to temporarily disable the application.
Saying that is a case of gaps in application security, Kin notes: "The Tech Mahindra employee who prepared the database script had omitted a 'where' clause in the script, which was required to limit the application of the changes to the affected customer's profile. This was in breach of standard operating procedures that were in place at that time."
Once the issue was discovered and the matter was investigated, it was concluded that Tech Mahindra didn't check if the database script was functioning properly in a test-bedding environment before execution in the production environment.
"Additionally, employees of the IT vendor were also expected to verify that an update was correct after the execution of the database update script. However, in this case, both these layers of checks were omitted," Kin says.
The PDPC said that Tech Mahindra was acting as a data intermediary for Singtel. But it "failed to make reasonable security arrangements to protect the personal data of Singtel customers that it processed", which led to the S$10,000 fine.
Security specialists say that although this incident is not a breach caused by external hackers, data integrity nevertheless was breached.
A Singapore-based IT GRC practitioner from a large advisory group, requesting anonymity, notes: "Buying from third party today is easy, but managing the relationship for mutual benefit can be difficult due to different reasons. The [Service Level Agreement] is very critical with the terms and conditions clearly spelled out in the backdrop of cybersecurity threats, which needs to be updated to make it relevant to the changing threat landscape given the pace at which technology is changing."
The static part of the engagement can be jeopardized when third-party vendors don't follow closely the standards established by the global bodies, such as ISO27001 and ISO33000.
Chuan-Wei Hoo, technical adviser, Asia Pacific at (ISC)², says that while companies may have the right processes and people in place, they must ensure the same standards are followed by the vendors to whom they outsource. "We have seen companies in economies that provide these outsourcing services develop the human capability, but there is still a long way to go," Hoo says. "Principals should work closely with their suppliers and service providers [when handling sensitive data] to ensure all have the right skill sets."
Additionally, there are guidelines to which one can always refer. For instance, Singapore has the NICF, which can be used as guidance.
"While we have the framework as guidance, it is important to carry out ... security assessment reviews on a regular basis," Hoo says. "Regular audits establish a security baseline against which you can measure progress and keep track with the internal and outsourcer's security posture."
During its investigation, PDPC concluded that Singtel had taken necessary measures in instructing Tech Mahindra on updating the affected customer's profile on the ONEPASS database. PDPC states that Singtel had made specific reference to the "where" clause in the database script in an email on April 2, 2015. "The email has given out instructions that the 'where' clause each database had to be a primary key - it could not be left blank," Kin says in his report. The function of the 'where' clause is to introduce a restrictive parameter on the operation of the programmatic instructions to specific records, columns or tables in the database.
Rana Gupta, vice president, APAC sales, identity and data protection at Gemalto says that actions such as Singtel's will improve accountability of industry players. "Mandatory breach notifications along with financial penalties in cases of inadequate measures to protect the privacy of PII (personally identifiable information) is good way to promote accountability in the industry," Gupta says (see: Singapore Debates Breach Disclosure) )
The anonymous practitioner says, "More than penalty, such notifications will ensure that companies pull up their socks, since such incidents can damage their brand value which can't be measured in money."