Re SPH Magazines Pte Ltd [2020] SGPDPC 3 concerns the fabled HardwareZone forum site. This is perhaps one of the last surviving local internet communities in Singapore. A few undergraduates started out a website and there were dreams to IPO. Well, all that is water under the bridge now since it was bought over by SPH in 2006. Given its roots, its passionate volunteers are a very integral part of the “community”.

Well, a particular volunteer failed to change his password in the course of ten years, or meet the length and complexity standards of a good password. It became the source of a data breach affecting over 685,000 members which went undetected over 2 years. Among others, SPH was penalized $26,000.

Thing 1: Volunteers are a source of liability#

This blog discussed two main sources of vulnerability for data protection: employees and vendors. We can now add “volunteers” to the list. Since volunteers are spending their free time doing things for free, they may not exercise so much care.

Notwithstanding, volunteers are included in the scope of employees. It is written in clause 2 of the PDPA — “employee” includes a volunteer.

SPH required employees to implement password security but failed to do so for their volunteers. Given the powers granted to senior moderators in the forum, a breach caused by a volunteer’s lax practices, can become a source of liability. It’s clear that SPH had left out volunteers in their security considerations.

You should look over your systems and processes and find out whether there are any volunteers involved in them. Don’t turn a blind eye!

Thing 2: Vintage is a liability#

Although this was not directly mentioned in the decision, I also believe that the long history of the website was also an issue.

The Hardware Zone website has a long history. The password policy also showed its long history. Password policies have evolved over time in terms of length, complexity and whether you can reuse a password. The widespread use of multi factor authentication is also a recent phenomenon.

At the other end of spectrum, you will find passwords that don’t change for ten years.

Interestingly, this shows the importance of performing due diligence in an acquisition. SPH should have tested or at least reviewed its new property for any security vulnerabilities. Even if this was not a critical consideration prior to an acquisition, it should at least be done soon. Omitting this can result in data breaches which you will not be liable for.

Thing 3: Rethink passwords#

This decisions shows that credential issues still pervade the data security and protection landscape. The PDPC found that no system was compromised here; the password must have been leaked from another database. Maybe the administrator used the same password for several accounts, and one of them got hacked, affecting the others.

Today we have far too many accounts and too many logins to remember. Many people use one password for several. Password managers are a mainstream product. I have never been a fan of passwords. The mental capacity to remember even PIN numbers is troublesome to me.

Importantly, one should know that there are several methods of user authentication. Besides the password manager and the multi-factor authentication mentioned above, there is also OTP, biometrics and browsers. The Singpass mobile application also features an interesting method of authentication. As such, when designing in security, take some time to think about your users in terms of which kind of authentication is best.