Notes on Complaint & Enquiry Cases related
to DPP4 - security of personal data
Case No.:
2003006
Internet security: system loopholes mended to prevent unauthorized or accidental access to password protected personal data of customers - DPP4
The Complaint
Internet billing service was provided to customers by a mobile phone service company. The system was secured by password feature where a customer had to enter his password to gain access to his account information. In an attempt to access the account information via the service, a customer was alarmed to find out that it was possible to return to the same secured pages which he had previously visited by simply striking the "Back" button or via the "History" function of the browser, even after he had logged out from the system and gone offline.
Findings by the Privacy Commissioner
By allowing such security loopholes, the company exposed its customers' personal data to the risk of being accessed by unintended or unauthorized third parties, particularly so when the customers used computer terminals available in public places. This was considered a contravention of DPP4 in failing to provide sufficient safeguards to protect customer data held. In response to the PCPD's findings and in order to remedy the situations, the company immediately carried out rectifications to eliminate the loopholes and added security alert statements on the website, advising customers to log out from the system and close the browser window after finished viewing the password controlled personal information on the website.
