Financial penalties of $10,000 each, were imposed on Propnex Realty and JP Pepperdine for failing to make reasonable security arrangements to prevent unauthorised access of individuals’ personal data stored online.
Propnex was also directed to cease the storage of documents containing personal data via its system until a security scan had been conducted.
On 28 December 2015, the Personal Data Protection Commission (“Commission”) received a complaint from the Complainant in relation to the publication online of the Organisation’s internal Do Not Call list containing the personal data of 1765 individuals, including the Complainant and her sisters (“PropNex DNC List”).
Following the Complainant’s complaint, the Commission then undertook an investigation into the matter.
The Complainant alleged that she and her sisters had been receiving marketing calls and messages from various telemarketers (including moneylenders) on their mobile telephone numbers even though they had not consented to being contacted.
When the Complainant spoke to one of the telemarketers over the phone to ask where he had obtained her telephone number, she was informed that her name and telephone number were available on the Internet. This prompted the Complainant to conduct a search on the Internet for her name. Among the search results was a URL link (“Link”) to the PropNex DNC List dated 29 July 2015 in PDF format.
The PropNex DNC List contained, amongst other things, the Complainant’s full name, mobile number and landline, residential address and internal instructions to the Organisation agents regarding the Complainant.
On 31 December 2015, the Commission informed the Organisation’s Data Protection Officer of the Data Breach Incident and requested that the PropNex DNC List be taken down. The Organisation confirmed that the PropNex DNC List belongs to the Organisation and that it had no knowledge of the Data Breach Incident until it was notified of the complaint.
On 4 January 2016, the Organisation deleted the PropNex DNC List from its VO System and informed Google to exclude the Link from its search results. The Organisation also took steps to prevent a reoccurrence of the Data Breach Incident, by introducing a new way of disseminating the DNC List internally through a secured database and which can be searched using an authenticated web form.
Investigations disclosed that in or around July 2015, the PropNex DNC List was in PDF format and placed in a shared folder for internal use on the VO System which was accessible only by the Organisation agents and staff through authenticated login. Earlier versions of the PropNex DNC List had been placed in the same shared folder since the beginning of 2015.
JP Pepperdine Group Pte. Ltd.
On 25 October 2015, the Complainant informed the Personal Data Protection Commission (the “Commission”) that any member of the public could readily access the personal data of members that had joined the Organisation’s membership programme by entering a randomly simulated membership number on a webpage (http://goo.gl/5BX9Rr, a Google URL Shortener that redirects to http://ascentis.com.sg/microcrm/JacksPlace_memberportal/searchprofil e.aspx) listed on the Organisation’s membership brochure (the “Webpage”).
Members of the public can also perform a search (without inputting any search parameters) using the search functions available on the Webpage.
The Organisation operates a number of restaurants in Singapore under various brands (e.g. Jack’s Place, Eatzi Gourmet). The Organisation has a membership programme for its customers. Participating in the membership programme entitles members to special promotions and discounts across the different restaurants operated by the Organisation.
Each member would be assigned a 7-digit membership number by the Organisation. Membership numbers run sequentially. At the time of the investigation (December 2015), the Organisation had approximately 30,000 members.
The personal data that was publicly accessible through the Webpage included, names of members, gender, marital status, nationality, race, NRIC/Passport number, date of birth, mobile phone number, home phone number, email addresses, residential addresses, and other membership account details.
On 29 October 2015, after receiving the Commission’s notification, the Organisation introduced security features to the Webpage by incorporating a password protection feature such that the Webpage was no longer publicly accessible and could only be accessed after authentication.
The Commission then stated that it emphasises that it takes a very serious view of any instance of non-compliance under the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly.
