Financial penalties of $10,000 each, were imposed on Propnex Realty and JP Pepperdine for failing to make reasonable security arrangements to prevent unauthorised access of individuals’ personal data stored online.
Propnex was also directed to cease the storage of documents containing personal data via its system until a security scan had been conducted.
On 28 December 2015, the Personal Data Protection Commission (“Commission”) received a complaint from the Complainant in relation to the publication online of the Organisation’s internal Do Not Call list containing the personal data of 1765 individuals, including the Complainant and her sisters (“PropNex DNC List”).
Following the Complainant’s complaint, the Commission then undertook an investigation into the matter.
The Complainant alleged that she and her sisters had been receiving marketing calls and messages from various telemarketers (including moneylenders) on their mobile telephone numbers even though they had not consented to being contacted.
When the Complainant spoke to one of the telemarketers over the phone to ask where he had obtained her telephone number, she was informed that her name and telephone number were available on the Internet. This prompted the Complainant to conduct a search on the Internet for her name. Among the search results was a URL link (“Link”) to the PropNex DNC List dated 29 July 2015 in PDF format.
The PropNex DNC List contained, amongst other things, the Complainant’s full name, mobile number and landline, residential address and internal instructions to the Organisation agents regarding the Complainant.
On 31 December 2015, the Commission informed the Organisation’s Data Protection Officer of the Data Breach Incident and requested that the PropNex DNC List be taken down. The Organisation confirmed that the PropNex DNC List belongs to the Organisation and that it had no knowledge of the Data Breach Incident until it was notified of the complaint.
On 4 January 2016, the Organisation deleted the PropNex DNC List from its VO System and informed Google to exclude the Link from its search results. The Organisation also took steps to prevent a reoccurrence of the Data Breach Incident, by introducing a new way of disseminating the DNC List internally through a secured database and which can be searched using an authenticated web form.
Investigations disclosed that in or around July 2015, the PropNex DNC List was in PDF format and placed in a shared folder for internal use on the VO System which was accessible only by the Organisation agents and staff through authenticated login. Earlier versions of the PropNex DNC List had been placed in the same shared folder since the beginning of 2015.

JP Pepperdine Group Pte. Ltd.

On 25 October 2015, the Complainant informed the Personal Data Protection Commission (the “Commission”) that any member of the public could readily access the personal data of members that had joined the Organisation’s membership programme by entering a randomly simulated membership number on a webpage (http://goo.gl/5BX9Rr, a Google URL Shortener that redirects to http://ascentis.com.sg/microcrm/JacksPlace_memberportal/searchprofil e.aspx) listed on the Organisation’s membership brochure (the “Webpage”).
Members of the public can also perform a search (without inputting any search parameters) using the search functions available on the Webpage.
The Organisation operates a number of restaurants in Singapore under various brands (e.g. Jack’s Place, Eatzi Gourmet). The Organisation has a membership programme for its customers. Participating in the membership programme entitles members to special promotions and discounts across the different restaurants operated by the Organisation.
Each member would be assigned a 7-digit membership number by the Organisation. Membership numbers run sequentially. At the time of the investigation (December 2015), the Organisation had approximately 30,000 members.
The personal data that was publicly accessible through the Webpage included, names of members, gender, marital status, nationality, race, NRIC/Passport number, date of birth, mobile phone number, home phone number, email addresses, residential addresses, and other membership account details.
On 29 October 2015, after receiving the Commission’s notification, the Organisation introduced security features to the Webpage by incorporating a password protection feature such that the Webpage was no longer publicly accessible and could only be accessed after authentication.
The Commission then stated that it emphasises that it takes a very serious view of any instance of non-compliance under the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

马国客工露宿问题 数单位迅速出动解决

新加坡人爱心满满,为被迫露宿街头的马来西亚客工提供留宿之地,解决他们的困境。 社运份子吴家和在脸书上帖文,分享了义顺善心人士为马国客工所提供的房间。 他也指出,目前已向三户家庭愿意收留这些无家可归,又没屋遮顶的马国员工。“做得好,新加坡人!博爱无国界。” 教堂开放空间 另一方面,本地志愿团体“Homeless Hearts of Singapore”,也在看了《今日报》的报导后,于脸书上帖文更新,已为部分无家可归的人们寻获良好的住宿地点。 当局指出,有超过20个本地居民、马来西亚人和越南人都愿意提供自己的住处,让“落难”的马国客工过夜。而至截稿为止,已经安顿了一家六口的新加坡家庭、一名马国籍女子,以及一家四口的马国籍家庭。 “基于健康和优先考量,我们将专注于协助家庭和妇女,以及无家可归者,希望你们谅解。” 帖文中指出,一些教堂已开放空间,以便安置这些露宿者。因此志愿团会分成一小批一小批,到类似克兰芝地铁站等地方进行宣传。 “我们的执行计划之一,就是告诉马来西亚人有关提供免费武汉冠状病毒(Covid-19)检测的附近诊所。这是人类的危机。我们帮助他们,就等于是帮助我们自己。爱邻如己。”…

AWARE launches fundraiser for Sexual Assault Care Centre

By Howard Lee MediaCorp Artiste Zoe Tay and comedian Judee Tan have…

Look who’s bashing Singaporeans

We have noticed that of late, government ministers & officials, and People’s…

Freedom Walk

The Singapore Democratic Party, along with some like-minded Singaporeans, commemorated Int’l Human…