Source : Google map.

In a series of decisions published by the Personal Data Protection Commission (PDPC) on Tuesday (11 February), seven organisations were found to be in breach of the Personal Data Protection Act (PDPA) including Singtel, SPH Magazines, Royal Caribbean Cruises (Asia), AXA Insurance, and NTUC Income.

Total fines imposed on those seven organisations were S$66,000.

According to calculations by The Business Times based on decisions published by the commission from April 2016, the PDPC has imposed a total of S$2.12 million in fines over that period.

These lates organisations which were fined and warned add to the increasing number of forms which the commission has taken action against in the last four years, starting with 3 in 2016 and 12 in 2017 and climbing steeply to 28 and 2018 and 50 in 2019.

In January last year, the PDPC fined Singapore Health Services (SingHealth) and Integrated Health Information Systems (IHiS) a total of S$1 million over the country’s worst data breach in history involving the personal data of 1.5 million SingHealth patients. SingHealth was fined S$250,000 while IHiS was fined S$750,000.


In this latest round of decisions, Singtel was fined S$9,000 for another data breach involving its My Singtel mobile app. The firm has faced some technical issues when migrating to a new billing system back in 2018 which resulted in the exposure of personal data of 750 mobile subscribers, 39 of which were accessed by other users.

Considering the company’s ‘prompt action’ to mitigate the impact of this breach with a temporary fix, the fact that the migration is now completed and poses no further risk, the PDPC fined Singapore a penalty of S$9,000.

In November 2019, Singtel was fined S$25,000 for a data breach involving the ap as well. A design flaw allowed My Singtel users to potentially access other customers’ accounts which would expose billing information of up to 330,000 subscribers.

SPH Magazines

As for SPH Magazines, wholly-owned by Singapore Press Holdings, was fined S$26,000 for a breach of the forum site HardwareZone which it operates, hosts and maintains. A hacker had gained access to the system in 2017 and hacked in a senior moderator’s account which the hacker then used to retrieve information of other members.

An investigation into the breach received that the hacker had attempted to view 704,764 profiles using networks that did not reveal the actual IP 9internap protocol) address via the senior moderator’s account. It was found also that the account had the same password for 10 years which did not meet the length and complexity standard that SPH Magazine implemented.

SPH also only discovered the hack when this incident came to their knowledge, though the account was accessed by an intruder way back in 2015.

Royal Caribbean Cruises (asia)

The cruise company was fined S$16,000 over a ransomware attack on its vendor’s system which resulted in the breach of personal data of 6,000 of its customers. The attacker tapped into the database in the receipt system and left a ransom message demanding a payment of 0.08 bitcoin for the data. The personal data of 25 employees were also compromised.

PDPC noted that while a vendor was engaged to develop the receipt system, it was RCC that process the personal data of the employees and customers, making the cruise company solely responsible for the protection of the data.

SCAL Academy

Wholly-owned by Singapore Contractors Association, the Academy has not taken reasonable security steps to protect the personal data of 3,628 people who had attended its programmes. The unsecured data includes name, race, nationality, date of birth, identity card number, address, company name and more, said PDPC.

The scanned registration documents of the over 3,000 people were publicly accessible. This was revealead in an online search done in 2018.

The company was hit with a S$15,000 fine.

Warnings for NTUC & AXA; directions fo Henry Park Primary School’s Parents’ Association

Aside from the four companies which were fined, PDPC also issued a warning to NTUC Income and AXA Insurances for a breach of the protection obligation due to their respective breaches.

PDPC found that NTUC Income’s coding error led to the inadvertent disclosure of their personal data of 17 people to 123 other users who were making inquiries through its website last year.

The other insurer, AXA  Insurance, had sent an email to one person last year containing a scanned document with the personal data of 87 policyholders, which was actually meant for internal records.

Finally, for Henry Park Primary School Parents’ Association, the PDPC imposed directions on the association for failing to put in place reasonable measures to protect personal data, not appointing an officer for data protection, and not having written policies and practices to ensure compliance with data protection laws.

Notify of
Inline Feedbacks
View all comments
You May Also Like

马交长发视频 解释ILS系统影响

马国交通部长陆兆福,在个人脸书转发一段视频,向马国民众解释,为何政府反对实里达机场落实仪表着陆系统(ILS),并呼吁新加坡修改起降航线。 有关视频解释,ILS能在视线欠佳时引导飞机起降,大幅提高飞机的起降安全。 实里达机场距离马来西亚柔佛巴西古当仅两公里,如果要落实ILS,飞机就必须飞过巴西古当上方,降落到实里达机场。 ILS系统下,距机场三公里处地面高度限制54米 视频中提到,ILS对于地面障碍物或建筑物高度有限制,距离实里达机场三公里处,地面障碍物高度不得超过54米,六公里处的高度限制则是不超过145米。 “这意味着,一台高103米的移动起重机,就已经违反了三公里处的高度限制。” 受ILS高度限制的地域,无法兴建高建筑物,估计从南部巴西古当、东至亚逸大华和北部的哥打丁宜等城镇,都可能受ILS高度限制的影响。 而巴西古当也无法兴建高建筑物,港口将来也会曝露在风险,发展也受诸多限制。 视频提到如果没有采用ILS,飞机师能避开障碍物,对于航线周围的地面建筑物也没有高度限制。 以下为陆兆福转发的视频: 我国实里达机场将在明年1月3日起落实ILS系统。 早前,陆兆福透过媒体呼吁我国规划实里达空域的飞行和起降路径。

对政府呈《防假消息法》感“失望和惊讶” 刘程强抨击为阻吓异议者

《防止网络假信息和网络操纵法案》于今日在国会进行二读辩论。工人党前党魁暨阿裕尼集选区议员刘程强直言,对政府提呈有关草案感到“非常失望和惊讶”。 刘程强表态工人党反对上述《防假消息法》,“虽然我们认同有必要立法对付网络假消息,避免破坏现有政治体系和多元种族和谐,或影响选举结果。也应强制网络公司撤下可造成社会分裂的言论。” 但他指出,政府提呈该法案,不仅是为应付上述挑战,其背后动机,乃是为了对社交媒体的批评者起阻吓作用。“政府只要选择性处罚一些初犯者,就能达到杀鸡儆猴的作用,令人不寒而栗,造成言论自我审查。” 他不违言,这是为保护执政党,进行政治垄断的政策目标。 他也不认同律政部长尚穆根的解释,指出其他法令中赋予政府的权限,仅针对网站或公司,但是《防假消息法》枪口却针对个人在社交媒体发表的言论,令人担忧。 网络和社媒乃平民论政、问责之空间 他认为,网络假消息固然为社会管理带来新挑战,需要有新策略应对,然而不应忽略,市井小民讨论政治,已不局限于咖啡店,网络和社交媒体也是论政和问责政府的平台,这是科技进步为民主带来的正面发展。 他说,如今人民若对政府和政治人物质疑,不必躲在街头巷尾窃窃私语,已走出过去内安法令下,部长决定就可未审讯扣留的白色恐怖,这是我国迈向开放民主的一大步。 民众可以透过网络监督政府和反映对政策的意见,政府和人民可直接沟通和回应,知晓人民的需要,有助改善民生。”民意体现已不仅限于选举时,能善用网络平台的政府,更能推出体恤民情合民意的政策。 工人党表示,无法接受把人民论政和言论自由的权利,交给部长裁决。他列举工人党反对《防假消息法》的原因包括:第一,法案让部长拥有绝对的权力判断什么是假信息,并决定采取什么行动。这就像在一场球赛中,让部长同时扮演球员和裁判的角色。 “李显龙总理近日指出,科技和社交媒体的普及,让仇恨言论和假新闻非常容易散播,也让恶意人士更容易操纵观点,甚至影响选举。但我们怎么能肯定,执政党的部长就不会为了赢得选举,而操纵观点和散播假信息? 虽然法案规定在大选时部长必需委任一名政府官员来替代部长执行任务,在表面上看来是避免利益冲突。但又有谁能确保这位由部长所委任的政府官员不会为了自己和部长的利益而做出有损公众利益的事?”…

TransMalay Ekspres expects male and female passengers to sit separately

TransMalay Ekspres will expect male and female passengers who its board long-haul…

主题公园计划生变 云顶起诉21世纪霍士与迪士尼

基于21世纪霍士公司,以及其候任新东主迪士尼违约取消与马来西亚云顶达成的霍士主题公园协议,云顶方面已入禀美国法院,起诉21世纪霍士和迪士尼,索偿10亿美元。 云顶在本周一,向洛杉矶联邦法院提诉。据了解由于迪士尼无意与博彩业挂钩,21世纪霍士才决定取消有关主题公园协议。 迪士尼不愿与博彩业挂钩 云顶向《彭博社》透露 ,迪士尼主打亲善家庭的营销策略,为此无意与云顶等博彩业者挂钩。 至于霍士和迪士尼至今仍未针对有关诉讼发表声明。21世纪霍士发言人Dan Berger则不愿置评。 云顶和霍士是在2013年签署协议,在距离吉隆坡约半小时车程的云顶,建设霍士知识产权主题公园。 迪士尼料明年完成收购霍士 不过,迪士尼预计在2019年首季,以713亿美元收购霍士旗下大部分资产。 问题可能源于协议中未提及霍士可获得的门票销售份额,致使多年来霍士有意延迟工程,迫使云顶重新谈判。 而如今,在迪士尼“做主”下,霍士发出违约通知,希望终止协议。…