Source : Google map.

In a series of decisions published by the Personal Data Protection Commission (PDPC) on Tuesday (11 February), seven organisations were found to be in breach of the Personal Data Protection Act (PDPA) including Singtel, SPH Magazines, Royal Caribbean Cruises (Asia), AXA Insurance, and NTUC Income.

Total fines imposed on those seven organisations were S$66,000.

According to calculations by The Business Times based on decisions published by the commission from April 2016, the PDPC has imposed a total of S$2.12 million in fines over that period.

These lates organisations which were fined and warned add to the increasing number of forms which the commission has taken action against in the last four years, starting with 3 in 2016 and 12 in 2017 and climbing steeply to 28 and 2018 and 50 in 2019.

In January last year, the PDPC fined Singapore Health Services (SingHealth) and Integrated Health Information Systems (IHiS) a total of S$1 million over the country’s worst data breach in history involving the personal data of 1.5 million SingHealth patients. SingHealth was fined S$250,000 while IHiS was fined S$750,000.

Singtel

In this latest round of decisions, Singtel was fined S$9,000 for another data breach involving its My Singtel mobile app. The firm has faced some technical issues when migrating to a new billing system back in 2018 which resulted in the exposure of personal data of 750 mobile subscribers, 39 of which were accessed by other users.

Considering the company’s ‘prompt action’ to mitigate the impact of this breach with a temporary fix, the fact that the migration is now completed and poses no further risk, the PDPC fined Singapore a penalty of S$9,000.

In November 2019, Singtel was fined S$25,000 for a data breach involving the ap as well. A design flaw allowed My Singtel users to potentially access other customers’ accounts which would expose billing information of up to 330,000 subscribers.

SPH Magazines

As for SPH Magazines, wholly-owned by Singapore Press Holdings, was fined S$26,000 for a breach of the forum site HardwareZone which it operates, hosts and maintains. A hacker had gained access to the system in 2017 and hacked in a senior moderator’s account which the hacker then used to retrieve information of other members.

An investigation into the breach received that the hacker had attempted to view 704,764 profiles using networks that did not reveal the actual IP 9internap protocol) address via the senior moderator’s account. It was found also that the account had the same password for 10 years which did not meet the length and complexity standard that SPH Magazine implemented.

SPH also only discovered the hack when this incident came to their knowledge, though the account was accessed by an intruder way back in 2015.

Royal Caribbean Cruises (asia)

The cruise company was fined S$16,000 over a ransomware attack on its vendor’s system which resulted in the breach of personal data of 6,000 of its customers. The attacker tapped into the database in the receipt system and left a ransom message demanding a payment of 0.08 bitcoin for the data. The personal data of 25 employees were also compromised.

PDPC noted that while a vendor was engaged to develop the receipt system, it was RCC that process the personal data of the employees and customers, making the cruise company solely responsible for the protection of the data.

SCAL Academy

Wholly-owned by Singapore Contractors Association, the Academy has not taken reasonable security steps to protect the personal data of 3,628 people who had attended its programmes. The unsecured data includes name, race, nationality, date of birth, identity card number, address, company name and more, said PDPC.

The scanned registration documents of the over 3,000 people were publicly accessible. This was revealead in an online search done in 2018.

The company was hit with a S$15,000 fine.

Warnings for NTUC & AXA; directions fo Henry Park Primary School’s Parents’ Association

Aside from the four companies which were fined, PDPC also issued a warning to NTUC Income and AXA Insurances for a breach of the protection obligation due to their respective breaches.

PDPC found that NTUC Income’s coding error led to the inadvertent disclosure of their personal data of 17 people to 123 other users who were making inquiries through its website last year.

The other insurer, AXA  Insurance, had sent an email to one person last year containing a scanned document with the personal data of 87 policyholders, which was actually meant for internal records.

Finally, for Henry Park Primary School Parents’ Association, the PDPC imposed directions on the association for failing to put in place reasonable measures to protect personal data, not appointing an officer for data protection, and not having written policies and practices to ensure compliance with data protection laws.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

MAS: Bank loans rose 0.2% in February due to increased business loans

In February, bank lending increased in the midst of COVID-19 spread. According…

榴梿寒酸  供应不足 盛港榴梿日引差评

由盛港联络所于周日(7月29日)举办的“榴梿日”嘉年华,最终却沦为“惨年华”,一些购票群众派了数小时长龙,却被告知榴梿已派完,败兴而归。而主办方提供的榴梿过于“寒酸”也招致民众非议,状况连连,令大家对该活动留下负面印象。 有关号称本地“最大规模”的榴梿节,在白沙榜鹅集选区议员张思乐倡议下举办,根据盛港联络所的海报,只要您是新加坡公民或永久居民,可凭身份证购买五新元的入门票,在会场享用两粒榴梿。 活动首数个小时反映相当热烈,但后来主办当局发现榴梿不够派。 在下午三点,为舒缓人流,主办当局宣布,安排捷道给孕妇和乐龄人士排队。但并没有多达帮助,只是把人龙变成了三道。 至于主办当局提供的榴梿,一些网民批评仅手掌大小,在其他地方只需50仙-1新元就可买到。 有图有真相,网民放上图让大家看看,小榴梿甚至只稍高于纸杯。 其他民众也批评,这类榴梿在邻国的新山,甚至沦为免费派送,但是在新加坡却要价五新元。主办当局售卖了6千张门票,“是不是得调查主办方其中盈利多少?” 网民Jason Cheng:我们花五新元买入门票,得到的却是50仙的小榴梿! Nellie Lim:我们拿到寒酸小榴梿,也不能更换,现场义工的服务态度特不妥,把榴梿直接丢地上,让我们徒手捡去掉枝的榴梿。 Mae …

PM Lee apologises for national saga between him and siblings, subjects himself for questioning on 3 July in Parliament

Prime Minister Lee Hsien Loong has made a public statement to apologise…