News

Review of Recent PDPC Decisions

Feb 14 2020 | by OrionW

Reading time: 3 minutes

A group of recent decisions from Singapore’s Personal Data Protection Commission (PDPC) reinforces the importance organisations must place on protecting personal data in their possession or control.  All seven decisions highlight failures to implement reasonable security measures to prevent cyberattacks and inadvertent disclosures.  Penalties ranged from warnings to a $26,000 fine.

The consistent theme running through these recent cases is poor software practices:  inadequate testing, failure to install patches, failure to conduct vulnerability testing, and poor password practices, among others.  One case emphasised the need to monitor and manage vendors carefully.  The PDPC stressed that extra care is required when personal data are involved.

The PDPC assesses mitigating and aggravating factors to determine a penalty appropriate to each case.  The PDPC views favourably organisations that accept responsibility for their breaches, take prompt remedial actions, self-report their violations to the PDPC and cooperate with the PDPC’s investigation.  Organisations that do not act in those ways, or that exhibit indifference or neglect towards their data protection obligations under the Personal Data Protection Act (PDPA), may find the PDPC levying greater penalties than they otherwise would.

The following table summarises the recent PDPC Decisions.

Organisation and Sector

Incident and Cause

PDPA Violations

Decision/ Penalty

Henry Park Primary School Parents’ Association

Sector: Education

Incident: Confidential personal data found to be searchable by Google and accessible as a public user.

Cause: Failure to conduct vulnerability scans and security testing.

1)  failure to put in place reasonable security arrangements to protect personal data.

2)  failure to appoint a data protection officer.

3)  no written policies and practices to ensure PDPA compliance.

Directions imposed.

AXA Insurance Pte. Ltd.

Sector: Insurance

Incident: Personal data of 87 individuals sent in an email to an unintended recipient.

Cause: Failure to implement a process to segregate documents intended for internal record purposes and customer documents.

Failure to put in place reasonable security arrangements to prevent inadvertent disclosure of personal data.

Warning issued.

NTUC Income Insurance Co-Operative Limited

Sector: Insurance

Incident: 123 users received automated emails with attachments containing personal data of 17 individuals due to a coding error.

Cause: Failure to detect the error during the manual code review process and to simulate expected test scenarios.

Failure to put in place reasonable security arrangements to prevent unauthorised disclosure of personal data.

Warning issued.

Royal Caribbean Cruises (Asia) Pte. Ltd.

Sector: Travel & Hospitality

Incident: Personal data of customers and employees subjected to a cyber-attack, causing exposure and unauthorised access of the data.

Cause: Failure to implement software patches.

Failure to put in place reasonable security arrangements to protect personal data.

$16,000 fine.

SPH Magazines Pte Ltd

Sector: Media

Incident: Unauthorised access due to leakage of credentials of a senior employee moderating its HardwareZone forum site by an unknown hacker, causing users to access personal data of members.

Cause: Failure to implement reasonable password security arrangements or policies.

Failure to put in place reasonable security arrangements to prevent the unauthorised access of personal data.

$26,000 fine.

SCAL Academy Pte. Ltd.

Sector: Construction / Training

Incident: Online search of customers’ names displayed link to scanned copies of registration documents.

Cause: Failure to conduct tests or verify if tests were conducted, and to check the measures put in place by its vendor.

Failure to put in place reasonable security arrangements to protect personal data.

$15,000 fine.

Singapore Telecommunications Limited

Sector: Telecoms

Incident: A technical issue in the migration of database to a new billing system, certain subscribers were able to view the personal data of other subscribers over a period of about 11 hours.

Cause: Failure to conduct thoroughly scoped tests and anticipated likely scenarios.

Failure to put in place reasonable security arrangements to prevent unauthorised disclosure of personal data.

$9,000 fine.

Disclaimer: This article is for general information only and does not constitute legal advice.