July 11, 2018

Auto-fill forms – time savers or data security risks?

Back in May 2017, an online citizen service, MyInfo, was launched in Singapore to make the filling in of online government forms less tedious by allowing fields to be automatically filled with the user’s personal data - such as full names, NRIC numbers and registered address.

The launch of the MyInfo Developer and Partner Portal in November 2017 has enabled this service to be extended to local businesses, which conveniently means that a click of the button is all it takes to automatically fill up e-transaction forms of locally-registered businesses starting from 2018.

The autofill feature will automatically populate forms and one would naturally assume that the information will be stored and handled in a secure manner. However, this is where there is a potential risk that leak could occur – a malicious site developer could for example add hidden fields to a page, which is drawn outside the visible screen. Those hidden fields could then be automatically filled out as well, without the user’s knowledge. There is also the risk that if a user’s MyInfo account were compromised, an unauthorised person could make use of the auto-fill feature to impersonate the user online without the user or the company becoming aware of the deception until it was too late.

While this service can improve business efficiency by offering convenience and reducing time spent on face-to-face meetings, there is a risk to the security and privacy of a consumer’s personal data. Personal data is very valuable and once stolen by criminals, it can be manipulated by engaging in various unlawful activities such as money laundering and identity theft.

Singaporean consumers are protected by the Personal Data Protection Act (PDPA) and are entitled the rights to determine if their data can be collected and stored, how the data is used and whether the data can be disclosed to third parties. The PDPA offers a baseline standard of protection. However, the responsibility to protect personal data ultimately falls back on the consumer. By being careful about how you manage your personal data, you can greatly limit potential risks of misuse and data breaches.

Data breaches are often unknowingly caused by human error and even the most reputable companies are not immune. For example, Aviva was found to be in breach of the PDPA when the complainant received another policyholder’s letters in his mail. This occurred when there were no additional checks were done after a staff member was assigned to process the letters. Additional layers of checks should be implemented to ensure that there is strict adherence to standard operating procedures and this also serves as an additional line of defence. For example, an effective risk management programme can be implemented, to assist managers in defining risk exposure, as well as develops, facilitates and monitors implementation of effective risk management practices in daily operations. Internal and external audits should also be done by both large and small organisations regularly.

Auto-fill is a great tool for time-saving, but at the same time can be more trouble than it is worth by exposing users to the vulnerability of a data breach. Consumers should also hold organisations accountable for safeguarding their data and they should ensure that the organisations are transparent about how the information will be used and make sure that the data is kept securely, disposed of responsibly and in a timely manner, for example through secure shredding. Implementing a Shred-it All policy could also help curb data breaches. Do think twice before enabling auto-fill tools or subscribing to similar services, the pain of manually filling each text field could pay off in protecting your personal data!

Start Protecting Your Business

To learn more about how Shred-it can serve as an additional layer of defense to protect your organisation against data leak, please contact us for a free quote and security risk assessment.