Financial penalties of $10,000 each, were imposed on Propnex Realty and JP Pepperdine for failing to make reasonable security arrangements to prevent unauthorised access of individuals’ personal data stored online.
Propnex was also directed to cease the storage of documents containing personal data via its system until a security scan had been conducted.
On 28 December 2015, the Personal Data Protection Commission (“Commission”) received a complaint from the Complainant in relation to the publication online of the Organisation’s internal Do Not Call list containing the personal data of 1765 individuals, including the Complainant and her sisters (“PropNex DNC List”).
Following the Complainant’s complaint, the Commission then undertook an investigation into the matter.
The Complainant alleged that she and her sisters had been receiving marketing calls and messages from various telemarketers (including moneylenders) on their mobile telephone numbers even though they had not consented to being contacted.
When the Complainant spoke to one of the telemarketers over the phone to ask where he had obtained her telephone number, she was informed that her name and telephone number were available on the Internet. This prompted the Complainant to conduct a search on the Internet for her name. Among the search results was a URL link (“Link”) to the PropNex DNC List dated 29 July 2015 in PDF format.
The PropNex DNC List contained, amongst other things, the Complainant’s full name, mobile number and landline, residential address and internal instructions to the Organisation agents regarding the Complainant.
On 31 December 2015, the Commission informed the Organisation’s Data Protection Officer of the Data Breach Incident and requested that the PropNex DNC List be taken down. The Organisation confirmed that the PropNex DNC List belongs to the Organisation and that it had no knowledge of the Data Breach Incident until it was notified of the complaint.
On 4 January 2016, the Organisation deleted the PropNex DNC List from its VO System and informed Google to exclude the Link from its search results. The Organisation also took steps to prevent a reoccurrence of the Data Breach Incident, by introducing a new way of disseminating the DNC List internally through a secured database and which can be searched using an authenticated web form.
Investigations disclosed that in or around July 2015, the PropNex DNC List was in PDF format and placed in a shared folder for internal use on the VO System which was accessible only by the Organisation agents and staff through authenticated login. Earlier versions of the PropNex DNC List had been placed in the same shared folder since the beginning of 2015.

JP Pepperdine Group Pte. Ltd.

On 25 October 2015, the Complainant informed the Personal Data Protection Commission (the “Commission”) that any member of the public could readily access the personal data of members that had joined the Organisation’s membership programme by entering a randomly simulated membership number on a webpage (http://goo.gl/5BX9Rr, a Google URL Shortener that redirects to http://ascentis.com.sg/microcrm/JacksPlace_memberportal/searchprofil e.aspx) listed on the Organisation’s membership brochure (the “Webpage”).
Members of the public can also perform a search (without inputting any search parameters) using the search functions available on the Webpage.
The Organisation operates a number of restaurants in Singapore under various brands (e.g. Jack’s Place, Eatzi Gourmet). The Organisation has a membership programme for its customers. Participating in the membership programme entitles members to special promotions and discounts across the different restaurants operated by the Organisation.
Each member would be assigned a 7-digit membership number by the Organisation. Membership numbers run sequentially. At the time of the investigation (December 2015), the Organisation had approximately 30,000 members.
The personal data that was publicly accessible through the Webpage included, names of members, gender, marital status, nationality, race, NRIC/Passport number, date of birth, mobile phone number, home phone number, email addresses, residential addresses, and other membership account details.
On 29 October 2015, after receiving the Commission’s notification, the Organisation introduced security features to the Webpage by incorporating a password protection feature such that the Webpage was no longer publicly accessible and could only be accessed after authentication.
The Commission then stated that it emphasises that it takes a very serious view of any instance of non-compliance under the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

年仅24岁 原定月底完婚 印度庙骚乱中遇袭消拯员不幸逝世

上月底,马国苏邦再也一家百年印度庙发生骚乱,消拯员受莫哈末阿迪在执勤中被殴打致伤,但在和死神搏斗20多天后,于昨晚咽下最后一口气,在国家心脏中心与世长辞。 阿迪现年仅24岁,原定于月底和未婚妻完婚。阿迪是在上月27日凌晨时分,与同僚赶赴位于苏邦再也的印度庙,准备扑灭一辆燃烧车子时,遭情绪激烈人士猛砸消防车,他被拉出消防车外殴打。 阿迪受伤后,立即被送往苏邦再也森那美议员和国家心脏中心治疗。 尽管治疗期间,其伤势曾一度好转,但在两天前突然恶化,肺部组织出现硬化现象,导致肺部无法有效换气,病情转危。 院方为他安装叶克膜(ECMO,即体外膜氧合机器)来协助他呼吸,可惜仍不敌死神召唤,阿迪终在昨晚9时41份离世,与未婚妻和家人阴阳永隔。 马国房屋及地方政府部长祖来达发文告证实了阿迪的死讯。 死者遗体也在今早7时30份,运往苏邦再也机场,通过雪州消拯局安排的直升机,将阿迪运返他的老家吉打。 首相副揆发文哀悼 副首相拿督斯里旺阿兹莎表示,她对於莫哈末阿迪的离世,感到十分悲痛,並形容他是一名真正的英雄。 她在文告中向死者的家属和未婚妻致哀,並强调,如今大马人必须团结一致,共同反抗这种罪行。 “我们须谨记,这不是宗教或种族罪行,而是无情人类所犯下的罪行。让我们一起祈祷,罪犯能尽快绳之以法。” 马国社运艺术家也在脸书为阿迪创作哀悼作品:…

241 new cases of COVID-19 infection in S’pore; 235 locally transmitted cases, 110 unlinked

As of Monday noon (6 Sep), the Ministry of Health (MOH) has…

“来单挑啊” 醉汉飙脏话挑衅巴士乘客

近日,一段醉汉与巴士乘客吵架的视频疯传网络。醉汉被拍到不知何故对着巴士上的一名乘客破口大骂,甚至还挑衅要单挑巴士乘客,两人在巴士上以粗俗的语言争吵。 该视频于昨日(19日)被上载到脸书网站Singapore Bus Drivers Community,并写下“醉汉试图在巴士上寻衅,要与巴士乘客单挑”,然而却无法得知争吵的缘由和发生地点。 视频约3分半左右,内容可见醉汉身穿黑衣与牛仔裤,试图在挑衅与一名坐在座位上的乘客打架。该名乘客身穿栗色T-恤,头上还带了一顶黑色帽子。视频一开始,醉汉就向乘客叫嚣并挑衅要打架,乘客则表示,“你已经醉了“。黑衣醉汉辩称他没醉,更开始向乘客大叫,”每个人都有自己的问题,你有自己的问题,我也有,所以你是错的(salah)。 乘客随后便反击他没错,而一旁的醉汉则不停在指责乘客并且开始以脏话回应 “F*** you”,两人便开始互相以脏话对嘛,然后往巴士后边走去,期间醉汉仍继续挑衅乘客单挑。后来,视频内容切换到,黑衣醉汉直站在乘客前面,两人互相以脏话叫嚣,火爆气氛升级,完全不避讳巴士上的其他乘客。 经过一番争执后,醉汉似乎要对乘客动手,被乘客喝止,“不要碰我,你可以和我说话,可是不要碰我!”。醉汉却不依不挠,他不停对乘客指手画脚,最终乘客忍无可忍站起来,眼看冲突等级加深,其他乘客便介入连任之间的冲突,将他们分开。 蓝衣男子介入两人的纷争,劝导醉汉往后退一步,试图将两人分开,而巴士也随之停下,醉汉仍不依不挠,不停对着乘客叫嚣,叫他一起来单挑。不久,醉汉在叫嚣中下车,闹剧才收场。 视频上传后,已有1500次分享,不少网友留言发生争执时,司机应该出面制止纷争,也有网友留言认为黑衣醉汉的行为是不良行为。…

Chee Soon Juan: SDP to double their effort to bring a positive change in 2019

Secretary-general of Singapore Democratic Party (SDP) Chee Soon Juan posted on his…