Complaint Case Notes

編號: 0163/2017/IP

標題: Company’s customer data compromised due to security vulnerabilities

立案原因: Report


      Company A reported to the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection) an incident of personal data leaks. The current case stemmed from a system loophole on its servers, which could be exploited by third parties. This was later published in an internal notice as issued by Company A’s parent corporation, along with the respective supporting patches. However, the IT staff succumbed to indolence, leading to the abuse of the loophole by the third parties and breach of the customers’ personal data of Company A afterwards.


      Under Article 4(1)(1) and 3(1) of the PDPA (Personal Data Processing Act or Law 8/2005), the processing of the said data is subject to the same Law.
     Apart from general personal data, what compromised also covered information regarding treatment dates, treatment fee, and other respective health information, which all qualify as sensitive data according to Article 7(1) of the PDPA.
    For the performance of customer contracts, Company A had obtained their unambiguous consent before processing their personal data. While observing the non-discrimination principle, it also introduced the security measures pursuant to Article 16 of the PDPA‒‒such moves were in compliance with the legitimate processing conditions of Article 6 and 7 of the PDPA.
    With regard to processing security, Company A admitted that the inaction of its IT staff’s over the said system vulnerability led to the exposure of data, due to their failure to closing the loophole in time. After the incident, Company A scrutinized all the system programs, as post-incident remedies, to ensure system corrections would be conducted according to the requirements in the internal notice. Moreover, it was mandatory to respond to all matters reported irrespective of the scale. It is reasonable to believe that the said data leaks might have been prevented had the system vulnerabilities been removed promptly.
    Company A failed to introduce appropriate security measures to protect the sensitive data of its customers, and resulted to possible penalty for its violation of Article 16(1) of the PDPA.
    In the written hearing, Company A pointed out that the types of personal data found in the leaks were not sensitive data, as they were irrelevant to diagnosis, treatment or professionalism of the medical staff, nor had they revealed the health conditions of the customers. Company A, as a consequence, argued that it should not be liable to the responsibilities of the administrative offense caused by the failure to introduce the special security measures that Article 16 of the PDPA requires.
     Article 7(1) of the PDPA sets forth that “personal data concerning health” is one type of sensitive data, amongst others, and therefore the GPDP also adopted the same view towards the customer data found in the said exposure.
    Considering the documents relating to personal data protection issued by the EU and Portugal are important reference works for the PDPA of Macao, the GPDP, based on the perspectives in their laws and judgements, takes the view that the personal data concerning health, not merely as restricted to professional medical information, cover all the information pertaining to the health status of a natural person.
     Amongst the various types of personal data found in the said data leaks, the treatment date and fee already revealed on which day(s) the data subjects received treatment and how they were treated. Normally, someone only seeks for medical help when feeling ill or after health problems were found. Treatment fee can somehow reflect the evaluation conducted by doctors or healthcare organizations. Along this line, the customer data found in the present case qualify as personal data concerning health and also sensitive data.
    The above showed that Company A, when processing sensitive data, failed to introduce the special security measures and led to the data leaks, which was a violation of Article 16 of the PDPA.


      After considering all the facts and the investigation details, the GPDP found out that Company A failed to introduce the security measures of personal data processing pursuant to Article 16(1) of the PDPA. Such failure led to the unauthorized access of the sensitive data of its customers by third parties. The GPDP, on the basis of Article 33(1) of the PDPA, decided to impose a penalty of MOP$8000.

Please refer to Article 3, 4, 6, 7, 16 and 33 of the PDPA.