Breach of the Protection Obligation by MCST 3400
Adapted from: Breach of the Protection Obligation by MCST 3400
by Shermaine Ang Edited by Leong Wai Chong, CIPM, GRCP
A warning was issued to Management Corporation Strata Title Plan No. 3400 (MCST 3400) for failing to put in place reasonable security arrangements to prevent the unauthorised access of 562 individuals’ personal data stored in an internal directory.
Facts of the case
On 2 September 2019, the Personal Data Protection Commission (PDPC) was notified that a directory containing personal data belonging to MCST 3400 was accessible on the Internet by any member of the public.
Back in April 2012, MCST 3400 had purchased a Network Attached Storage Device (NAS) for internal file sharing among its administrative staff over a local network. The directory was one of the files stored on the NAS. Not intending for the NAS to be connected to the Internet, the organisation was unaware that the directory could be accessed via an Internet Protocol address without the need for any login credentials.