The Personal Data Protection Commission (the “Commission”) received information on 24 August 2020 that Fujioh International Trading Pte Ltd’s (“Fujioh”) website had been affected by URL manipulation, resulting in its customers’ personal data being exposed on Fujioh’s online warranty system on its website. The attacker gained access to the Organisation’s website by iterating through the customers’ given identifiers that were reflected at the end of the URL, to download the uploaded receipt images. The personal data of 2,771 individuals was affected. The affected datasets comprised the affected individuals’ name, address, email and telephone number.
It was established that Fujioh (a) had application weakness in the receipt submission process of their online warranty system, (b) did not have proper data protection clauses in its contract with its vendor, and (c) had insufficient data protection management.
After the incident, as part of a remediation plan, Fujioh had:
(a) introduced session tokens in the online warranty system that expires at the end of each receipt;
(b) replaced its online warranty system to fix undetected vulnerabilities;
(c) established a Data Protection Management Programme that consisted of drafting of polices and notices, establishment of procedures, templates, data inventory map, training data protection curriculum for employees; and
(d) established checklists, procedures and templates for 3rd party vendors.
Having considered the circumstances of the case, including the remedial steps taken by Fujioh to improve its personal data protection practices, the Commission accepted an undertaking from Fujioh to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 31 March 2021 (the “Undertaking”).
The Undertaking provided that Fujioh was to complete implementation of its remediation plan by replacing its online warranty system to fix undetected vulnerabilities.
Fujioh has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Fujioh has complied with the terms of the Undertaking.
Please click here to view the Undertaking.