(15 December 2014) The Office of the Privacy Commissioner for Personal Data ("PCPD") published an investigation report today concerning the leakage of personal data of the customers of an airline services company, HKA Holidays Limited ("HKA Holidays") through "TravelBud" , a mobile application ("app") running on iOS platform. This stems from the failure of the app maintenance contractor, BBDTEK Company ("BBDTek"), in responding to the new privacy protection feature of iOS7 which blocked the reading by apps of MAC address1 as a device identifier. HKA Holidays as the data user has contravened Data Protection Principle ("DPP") 4(1) in Schedule 1 to the Personal Data (Privacy) Ordinance (the "Ordinance").
Background
2. TravelBud is a travel assistant app providing online services to mobile device users including flight ticket reservation and purchase, flight itinerary management, search for information on destination, and provision of a social networking platform for the travellers. It supported transactions made by both registered members and casual customers.
3. For reservations for the first time, both members and casual customers had to input the passenger's personal data (full name, gender, date of birth, identity card number or passport number) and a contact person's personal data (name, telephone number and email address). For subsequent transactions, members were recognised by the login account they created during membership registration. On the other hand, casual customers were recognised by the MAC address of the mobile device with the app installed.
4. On 18 September 2013 (US time), Apple Inc. launched its new mobile operating system iOS7 which, for reason of privacy protection, would block the reading by apps of MAC address as a mobile device identifier. In response to apps asking for the MAC address, iOS7 would provide a fixed number instead of disclosing the true MAC address.
5. As BBDTek took no adjustment action to this change of MAC address behaviour, all casual customers making transactions under iOS7 from 19 September 2013 (Hong Kong time) onwards were identified as one person based on the same fictitious MAC address. As a result, in response to a casual customer attempting to reserve or purchase a flight ticket or make an order history enquiry using a mobile device operating on iOS7, TravelBud would show on the screen of the mobile device not only his records (order histories and personal data) but also those of all other casual customers who had made transactions through TravelBud under iOS7. There were six affected customers whose personal data was leaked to other non-members in this way before the incident was identified on 25 September 2013.
The Commissioner's Determination
6. Apple Inc. had since 10 June 2013 informed app developers registered with its Developer Program of the launch of the iOS7, and to provide beta versions to them for testing. However, despite its repeated and multi-channelled communication efforts over a period of three months, BBDTek claimed it was unaware of Apple Inc.'s notification or news in relation to the changes or updates of the mobile operating system until 11 September 2013.
7. The Commissioner for Personal Data (the "Commissioner") did not accept BBDTek's claim of ignorance. Even though BBDTek only registered with the iOS Developer Program in September 2013 and would not have received relevant email notification from Apple Inc., it should, as a technology company specialising in app development, have kept abreast of the news and technology updates from Apple Inc. Further, as iOS7 was launched a week later on 18 September 2013, there was still time for BBDTek to take steps to prevent the data breach. The Commissioner therefore concluded that BBDTek was the culprit for the data breach.
8. However, BBDTek was only an outsourced agent of HKA Holidays and was not provided or entrusted with any personal data of the latter's customers for processing. Accordingly, BBDTek was not a data user as defined under the Ordinance.
9. On the other hand, by virtue of section 65(2) of the Ordinance, HKA Holidays as BBDTek's principal was responsible for BBDTek's misdeed. It had contravened DPP4(1) for failing to take all reasonably practicable steps to ensure that the personal data handled through the operation of TravelBud was protected against unauthorised or accidental access.
Remedial Action
10. HKA Holidays ceased the use of MAC address as the identifier of mobile devices for casual customers who reserved and purchased flight tickets through TravelBud. Further, the legal ownership of TravelBud was transferred from HKA Holidays to a Mainland company. In the circumstances, no enforcement notice has been served on HKA Holidays. Instead, the Commissioner has warned HKA Holidays that enforcement action would be taken should it fail to observe the relevant requirements under the Ordinance in similar situations in future.
The Commissioner's Advice
11. The Commissioner, Mr Allan Chiang commented, "Apps are now commonplace tools, transforming business operations and individuals' lives. People use apps on their mobile devices constantly, such as to check their account balance, to shop, to watch news and to communicate with their friends and relatives, etc. App developers often collect and process a wide range of personal data through the apps. Hence they play a key role in safeguarding privacy in the use of mobile devices. Although they are mostly small and medium enterprises, they still have the obligation to comply with the requirements under the Ordinance. It is incumbent upon them to keep abreast of the relevant trends and developments in technology so that they can update the apps they have developed to achieve enhanced functionality without compromising privacy and data protection."
12. "When outsourcing the development of the apps, an organisation should exercise care and choose competent app developers with good track records. Without appropriate safeguards in appointing outsourced agents, leakage or misuse of the personal data due to the agents' negligence might happen, thus causing serious harm to its customers and bringing the organisation into disrepute," Mr Chiang added.
13. The Commissioner advises that for the purpose of complying with the security requirements under DPP4 of the Ordinance, an organisation may consider adopting the recommended contractual terms found in the investigation report and in PCPD's "Outsourcing the Processing of Personal Data to Data Processors" information leaflet2.
Read the Investigation Reports online: www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R14_6453_e.pdf
- End -
1 A media access control address ("MAC address") is a unique identifier assigned to a network device to facilitate its communications in the network. It is assigned by the manufacturer of a network device and exists on all mobile computing devices such as a smartphone.
2 www.pcpd.org.hk/english/resources_centre/publications/information_leaflet/files/dataprocessors_e.pdf