11 organisations hauled up for lax data security
SINGAPORE'S privacy watchdog has cracked down on organisations that collected personal data from their customers and members but failed to take adequate steps to protect such information.
Lax security procedures were behind most of the sanctions imposed for flouting the Personal Data Protection Act.
It is the first time the Personal Data Protection Commission (PDPC) has taken action against rule breakers since the law took full effect in July 2014. Four organisations were fined and seven issued with warnings or directives, the watchdog said yesterday.
The list of those at fault - including industry body Institution of Engineers Singapore, karaoke chain K Box and brand names like Metro and Challenger - suggest that the requirements of the law have not sunk in yet, said lawyers.
The heaviest fine of $50,000 was slapped on K Box for a data breach involving 317,000 customers, resulting in their names, contact numbers and residential addresses being posted on file sharing website pastebin.com in September 2014.
Organisations that fail to protect consumers' personal data can be fined up to $1 million per breach.
The security measures put in place by K Box were found to be lax. For instance, access to its computers was protected by weak passwords comprising only one letter of the alphabet.
K Box's IT vendor Finantech Holding had failed to update K Box's systems with the latest software. The password for the system administrator account was simply "admin", making K Box's system vulnerable to hacks.
For this, Finantech was fined $10,000.
PDPC chairman Leong Keng Thai said that organisations were free to use consumers' personal data to deliver better customer service.
"The key is to use it responsibly and take appropriate actions to protect it," he added.
The Institution of Engineers Singapore was fined $10,000 after personal data of 4,000 members was wrongfully disclosed.
Health supplements supplier Fei Fah Medical Manufacturing was penalised $5,000 over data disclosure involving 900 customers. Both organisations had failed to put in place adequate security measures.
Several organisations were warned for lapses in securing data.
They include IT retail chain Challenger Technologies and its IT vendor Xirlynx Innovations; home exhibition organiser Full House Communications; Metro megastore; the Singapore Computer Society and Yestuition Agency.
Lawyer Bryan Tan of Pinsent Masons MPillay said organisations are either ignorant or careless.
"A policy to secure private data and the appointment of a data protection officer are basic must-haves," he added.
Metro said that it hired auditor KPMG to assess the security of its systems after a data leak involving 445 customers was discovered last year.
It now encrypts its data.
Universal Travel Corporation was told to send staff for training, as they wrongfully disclosed personal data of 37 customers.
The enforcement followed 667 complaints to the PDPC - mostly that data was wrongfully collected or used.