In a series of decisions published by the Personal Data Protection Commission (PDPC) on Tuesday (11 February), seven organisations were found to be in breach of the Personal Data Protection Act (PDPA) including Singtel, SPH Magazines, Royal Caribbean Cruises (Asia), AXA Insurance, and NTUC Income.
Total fines imposed on those seven organisations were S$66,000.
According to calculations by The Business Times based on decisions published by the commission from April 2016, the PDPC has imposed a total of S$2.12 million in fines over that period.
These lates organisations which were fined and warned add to the increasing number of forms which the commission has taken action against in the last four years, starting with 3 in 2016 and 12 in 2017 and climbing steeply to 28 and 2018 and 50 in 2019.
Singtel
In this latest round of decisions, Singtel was fined S$9,000 for another data breach involving its My Singtel mobile app. The firm has faced some technical issues when migrating to a new billing system back in 2018 which resulted in the exposure of personal data of 750 mobile subscribers, 39 of which were accessed by other users.
Considering the company’s ‘prompt action’ to mitigate the impact of this breach with a temporary fix, the fact that the migration is now completed and poses no further risk, the PDPC fined Singapore a penalty of S$9,000.
In November 2019, Singtel was fined S$25,000 for a data breach involving the ap as well. A design flaw allowed My Singtel users to potentially access other customers’ accounts which would expose billing information of up to 330,000 subscribers.
SPH Magazines
As for SPH Magazines, wholly-owned by Singapore Press Holdings, was fined S$26,000 for a breach of the forum site HardwareZone which it operates, hosts and maintains. A hacker had gained access to the system in 2017 and hacked in a senior moderator’s account which the hacker then used to retrieve information of other members.
An investigation into the breach received that the hacker had attempted to view 704,764 profiles using networks that did not reveal the actual IP 9internap protocol) address via the senior moderator’s account. It was found also that the account had the same password for 10 years which did not meet the length and complexity standard that SPH Magazine implemented.
SPH also only discovered the hack when this incident came to their knowledge, though the account was accessed by an intruder way back in 2015.
Royal Caribbean Cruises (asia)
The cruise company was fined S$16,000 over a ransomware attack on its vendor’s system which resulted in the breach of personal data of 6,000 of its customers. The attacker tapped into the database in the receipt system and left a ransom message demanding a payment of 0.08 bitcoin for the data. The personal data of 25 employees were also compromised.
PDPC noted that while a vendor was engaged to develop the receipt system, it was RCC that process the personal data of the employees and customers, making the cruise company solely responsible for the protection of the data.
SCAL Academy
Wholly-owned by Singapore Contractors Association, the Academy has not taken reasonable security steps to protect the personal data of 3,628 people who had attended its programmes. The unsecured data includes name, race, nationality, date of birth, identity card number, address, company name and more, said PDPC.
The scanned registration documents of the over 3,000 people were publicly accessible. This was revealead in an online search done in 2018.
The company was hit with a S$15,000 fine.
Warnings for NTUC & AXA; directions fo Henry Park Primary School’s Parents’ Association
Aside from the four companies which were fined, PDPC also issued a warning to NTUC Income and AXA Insurances for a breach of the protection obligation due to their respective breaches.
PDPC found that NTUC Income’s coding error led to the inadvertent disclosure of their personal data of 17 people to 123 other users who were making inquiries through its website last year.
The other insurer, AXA Insurance, had sent an email to one person last year containing a scanned document with the personal data of 87 policyholders, which was actually meant for internal records.
Finally, for Henry Park Primary School Parents’ Association, the PDPC imposed directions on the association for failing to put in place reasonable measures to protect personal data, not appointing an officer for data protection, and not having written policies and practices to ensure compliance with data protection laws.
