An online store sent invoices containing personal data to customers via unencrypted weblinks
The Complaint
The complainant received an unencrypted weblink (“the Weblink”) to access his invoice after purchasing at an online store for home appliances (“the Store”). The complainant discovered that by modifying the last five digits of the Weblink, he could gain access to other customers’ invoices, which contained order information including their names, phone numbers, email addresses, delivery addresses and purchase details. The complainant was of the view that the Store had failed to safeguard the customer’s personal data and hence lodged a complaint against the Store with the PCPD.
Outcome
After the PCPD intervened, the Store promptly rectified the problem. External access to the information contained in the invoice(s) was no longer feasible by clicking on the Weblink or modifying the digits of the Weblink. To prevent recurrence of similar incidents, the Store pledged that invoices containing personal data would be sent to customers in portable document format (PDF) in the future, instead of providing them with weblinks.
The PCPD issued a warning to the Store, requiring them to strictly comply with the relevant requirements of the PDPO on handling customers’ personal data by taking all practicable steps to ensure that any personal data held by them is protected against unauthorised or accidental access, processing, erasure, loss or use.
Lesson learnt
The primary cause of the complaint pertaining to the use of weblinks to provide customers with their respective invoices stemmed from the Store’s failure to adopt stringent security measures to protect the personal data of designated customers from any unauthorised access, or to detect the vulnerability arising from the modification of the weblinks. Prior to engaging in any practices that would involve the handling of personal data, organisations should conduct thorough risk assessments on the transmission and storage of personal data, such as the implementation of adequate encryption tools to protect personal data transmission, and to identify and address any vulnerabilities in their data security. This can minimize the risk of exposing the customers’ personal data and ensure compliance with the relevant requirements under the PDPO.
(Uploaded in February 2024)