Razer v Capgemini: Negligence & Breach of Contract in Data Leak

Razer (Asia-Pacific) Pte. Ltd. sued Capgemini Singapore Pte. Ltd. in the General Division of the High Court of Singapore on December 9, 2022, for negligence and breach of contract. The lawsuit arose from a server misconfiguration that led to a leak of Razer's customer data. The court, presided over by Lee Seiu Kin J, found that Capgemini breached its contractual obligations and was negligent in its handling of the situation, resulting in damages to Razer. The court ruled in favor of Razer.

1. Case Overview

1.1 Court

General Division of the High Court of the Republic of Singapore

1.2 Outcome

Judgment for Plaintiff

1.3 Case Type

Civil

1.4 Judgment Type

Judgment

1.5 Jurisdiction

Singapore

1.6 Description

Razer sues Capgemini for negligence and breach of contract after a server misconfiguration led to a data leak. The court found in favor of Razer.

1.7 Decision Date

8 December 2022

2. Parties and Outcomes

Party Name	Role	Type	Outcome	Outcome Type	Counsels
Razer (Asia-Pacific) Pte Ltd	Plaintiff	Corporation	Judgment for Plaintiff	Won	Wong Hin Pkin Wendell of Drew & Napier LLC Andrew Chua Ruiming of Drew & Napier LLC Olivia Tan Ying Ling of Drew & Napier LLC
Capgemini Singapore Pte Ltd	Defendant	Corporation	Judgment against Defendant	Lost	Tan I Kwok Lionel of Rajah & Tann Singapore LLP Andre Yeap SC of Rajah & Tann Singapore LLP Yap Pui Yee of Rajah & Tann Singapore LLP

3. Judges

Judge Name	Title	Delivered Judgment
Lee Seiu Kin	Judge	Yes

4. Counsels

Counsel Name	Organization
Wong Hin Pkin Wendell	Drew & Napier LLC
Andrew Chua Ruiming	Drew & Napier LLC
Olivia Tan Ying Ling	Drew & Napier LLC
Tan I Kwok Lionel	Rajah & Tann Singapore LLP
Andre Yeap SC	Rajah & Tann Singapore LLP
Yap Pui Yee	Rajah & Tann Singapore LLP

4. Facts

Razer engaged Capgemini (formerly WhiteSky Labs) to upgrade its e-commerce platform.
Capgemini recommended and installed the ELK Stack for data analysis.
Mr. Cabalag, a Capgemini employee, was given administrative credentials to Razer's servers.
Mr. Cabalag misconfigured a server file while troubleshooting a login problem.
The misconfiguration disabled security settings, leading to a data leak.
A security researcher, Mr. Diachenko, discovered the data leak and notified Razer.
Razer's customer data was exposed for several weeks due to the misconfiguration.

5. Formal Citations

Razer (Asia-Pacific) Pte Ltd v Capgemini Singapore Pte Ltd, Suit No 1233 of 2020, [2022] SGHC 310

6. Timeline

Date	Event
2018-01-01	Razer embarked on Project Phoenix
2019-03-01	Razer engaged WhiteSky Labs (Singapore) Pte Ltd as its information technology consultant
2019-03-20	Razer and WSL entered into a Data Processing Addendum
2019-07-15	Mr Argel Cabalag employed by WSL as a Senior Consultant
2020-02-05	Razer and WSL entered into an SOW for “Project Phoenix – ELK Reporting DB & API”
2020-03-01	Capgemini acquired WSL
2020-04-07	Razer provided Mr Cabalag with administrative user credentials to two of Razer’s servers
2020-04-09	Razer and WSL entered into an SOW for “Adaptive Managed Services”
2020-05-18	Razer and WSL entered an SOW for “Mulesoft Project Resource Support”
2020-06-01	Capgemini became a party to the consulting services agreement between Razer and WSL
2020-06-15	Mr Pradeep Annaiah was unable to log into and access the Kibana server and/or its application
2020-06-16	Mr Pradeep raised a support ticket with Capgemini to seek Capgemini’s assistance
2020-06-18	Mr Cabalag sent a WhatsApp message to Ms Neoh and later, an email to Razer’s IT Infrastructure Team, to inform that he had resolved the Login Problem
2020-08-19	Mr Bob Diachenko contacted Razer’s Support team stating that he was trying to get hold of someone on Razer’s IT team and that this was an alert of a security issue
2020-09-09	Razer management team in Singapore knew of the incident
2020-09-10	Mr Diachenko published an article on Linkedin titled “Thousands of Razer customers order and shipping details exposed on the web without password”
2022-07-13	Trial began
2022-09-20	Hearing Date
2022-12-09	Judgment Date

7. Legal Issues

Breach of Contract
- Outcome: The court found that Capgemini breached its contractual obligations to Razer.
- Category: Substantive
- Sub-Issues:
  - Failure to perform services with appropriate proficiency
  - Failure to use reasonable methods and due care to protect against harmful code
  - Breach of implied duty of care
Negligence
- Outcome: The court found that Capgemini was negligent in its handling of the Login Problem, leading to the data leak.
- Category: Substantive
- Sub-Issues:
  - Duty of care
  - Breach of duty of care
  - Causation
  - Damages
Contributory Negligence
- Outcome: The court did not find Razer to be contributorily negligent for the damage and/or losses caused by the Misconfiguration.
- Category: Substantive

8. Remedies Sought

Damages
Indemnification
Interest
Costs

9. Cause of Actions

Breach of Contract
Negligence

10. Practice Areas

Commercial Litigation
Information Technology Law
Data Protection Law

11. Industries

Technology
E-commerce
Gaming

12. Cited Cases

Case Name	Court	Affirmed	Citation	Jurisdiction	Significance
CIFG Special Assets Capital I Ltd (formerly known as Diamond Kendall Limited) v Ong Puay Koon and others and another appeal	Singapore Court of Appeal	Yes	[2018] 1 SLR 170	Singapore	Cited for the principles of contractual interpretation.
Lucky Realty Co Pte Ltd v HSBC Trustee (Singapore) Ltd	Unknown	Yes	[2016] 1 SLR 1069	Singapore	Cited for the principle that one looks to the text that the parties have used when interpreting a contract.
Zurich Insurance (Singapore) Pte Ltd v B-Gold Interior Design & Construction Pte Ltd	Unknown	Yes	[2008] 3 SLR(R) 1029	Singapore	Cited for the principle that it is permissible to have regard to the relevant context as long as the relevant contextual points are clear, obvious and known to both parties.
Sembcorp Marine Ltd v PPL Holdings Pte Ltd	Unknown	Yes	[2013] 4 SLR 193	Singapore	Cited for the reason the court has regard to the relevant context is that it places the court in “the best possible position to ascertain the parties’ objective intentions by interpreting the expressions used by [them] in their proper context”.
Yap Son On v Ding Pei Zhen	Unknown	Yes	[2017] 1 SLR 219	Singapore	Cited for the principle that the meaning ascribed to the terms of the contract must be one which the expressions used by the parties can reasonably bear.
MCH International Pte Ltd and others v YG Group Pte Ltd and others and other appeals	Unknown	Yes	[2019] 2 SLR 837	Singapore	Cited for the principle that due consideration is given to the commercial purpose of the transaction and why a particular obligation was undertaken.
Go Dante Yap v Bank Austria Creditanstalt AG	Unknown	Yes	[2011] 4 SLR 559	Singapore	Cited for the principle that in contracts under which a skilled or professional person agrees to render certain services to his client in return for a specified or reasonable fee, there is at common law an implied term in law that he will exercise reasonable skill and care in rendering those services.
Ng Giap Hon v Westcomb Securities Pte Ltd and others	Unknown	Yes	[2009] 3 SLR(R) 518	Singapore	Cited for the definition of terms implied in fact and terms implied in law.
Jet Holding Ltd and others v Cooper Cameron (Singapore) Pte Ltd and another and other appeals	Unknown	Yes	[2006] 3 SLR(R) 769	Singapore	Cited for the definition of terms implied in fact and terms implied in law.
Chua Choon Cheng and others v Allgreen Properties Ltd and another appeal	Unknown	Yes	[2009] 3 SLR(R) 724	Singapore	Cited for the definition of terms implied in fact and terms implied in law.
Lister v Romford Ice and Cold Storage Co. Ltd.	Unknown	Yes	[1957] 1 AC 555	England and Wales	Cited for the principle that the appellant was under a contractual duty of care to his employers in the performance of his duty as a driver.
Spandeck Engineering (S) Pte Ltd v Defence Science & Technology Agency	Unknown	Yes	[2007] 4 SLR(R) 100	Singapore	Cited for the elements to establish a claim in negligence.
Greenway Environmental Waste Management Pte. Ltd. v Cramoil Singapore Pte Ltd	High Court of Singapore	Yes	[2021] SGHC 203	Singapore	Cited for the principle that the standard of care required to fulfil one’s duty of care is the general objective standard of a reasonable person using ordinary care and skill.
Jurong Primewide Pte Ltd v Moh Seng Cranes Pte Ltd and others	Unknown	Yes	[2014] 2 SLR 360	Singapore	Cited for the principle that factors such as industry standards and normal practice can be taken into account when determining the standard of care.
Rohini d/o Balasubramaniam v HSR International Realtors Pte Ltd	Unknown	Yes	[2018] 2 SLR 463	Singapore	Cited for the key considerations guiding the court’s discretion to apportion liability between a claimant and a defendant are the relative causative potency of the parties’ conduct, and the parties’ relative moral blameworthiness.
Asnah bte Ab Rahman v Li Jianlin	Unknown	Yes	[2016] 2 SLR 944	Singapore	Cited for the key considerations guiding the court’s discretion to apportion liability between a claimant and a defendant are the relative causative potency of the parties’ conduct, and the parties’ relative moral blameworthiness.
V Nithia (co-administratrix of the estate of Ponnusamy Sivapakiam, deceased) v Buthmanaban s/o Vaithilingam and another	Unknown	Yes	[2015] 5 SLR 1422	Singapore	Cited for the principle that parties are bound by their pleadings.
Tribune Investment Trust Inc v Soosan Trading Co Ltd	Unknown	Yes	[2000] 2 SLR(R) 407	Singapore	Cited for the principle that the drawing of adverse inferences depends on the evidence adduced and the circumstances of each case, and should not be used as a mechanism to shore up deficiencies in one’s own case which on its own is unable to meet up the requisite burden of proof.

13. Applicable Rules

Rule Name
No applicable rules

14. Applicable Statutes

Statute Name	Jurisdiction
Contributory Negligence and Personal Injuries Act (Cap 54, 2002 Rev Ed)	Singapore
Evidence Act (Cap 97, 1997 Rev Ed)	Singapore

15. Key Terms and Keywords

15.1 Key Terms

ELK Stack
Mulesoft
Data Leak
Misconfiguration
Project Phoenix
Admin Credentials
Security Incident
Data Processing Addendum

15.2 Keywords

data leak
negligence
breach of contract
Razer
Capgemini
ELK Stack
customer data
server misconfiguration

17. Areas of Law

Area Name	Relevance Score
Negligence	90
Breach of Contract	85
Contract Law	75
Damages	70
Causation	65
Contributory negligence	60
Data Leak	60
Duty of Care	55
Security Incident	50
Commercial Law	50
Misconfiguration	45
Data Protection Law	40
Information Technology Law	35
Corporate Law	30
Company Law	25
Personal Injury	10

16. Subjects

Information Technology
Data Security
Contract Law
Negligence