Unencrypted personal data transmitted in mobile applications – DPP 4 – security of personal data
Background
In monitoring personal data risks, the PCPD may inspect the activities of a data user involving large-scale collection and use of personal data.
In the second half of 2020, the PCPD conducted security testing to determine whether the mobile applications (apps) developed or operated by local enterprises which involved the collection of customers’ personal data complied with DPP 4.
The PCPD found that 14 apps did not use adequate encryption to securely transmit personal data. As such, attackers could secretly eavesdrop or modify the transmission data.
Remedial Measures
All enterprises concerned took the PCPD’s advice and implemented adequate encryption in their apps to protect personal data transmission.
Lesson learnt
Online activities and transactions are convenient but carry nonnegligible risks to personal data privacy. Personal data collected by different apps may end up in the hands of hackers if such data is not protected by stringent security measures.
Organisations must protect and respect personal data to garner the trust of their customers to remain competitive. Organisations should regularly review and update their apps to ensure the security of personal data.
(Uploaded in June 2022)