SINGAPORE: Two companies here - JP Pepperdine Group and Propnex Realty - were fined S$10,000 each by the Personal Data Protection Commission (PDPC) for failing to secure their customers' personal details on their IT systems.
According to the decisions listed on the PDPC website earlier this week, it received a complaint on Oct 25, 2015, against JP Pepperdine Group after it was discovered that anyone could access the personal data of members that joined its membership programme by not entering anything on the company's website's search bar and clicking search.
Alternatively, the data could also be accessed by entering a randomly simulated membership number on a webpage hosted by its third-party vendor Ascentis, which created the webpage for a one-off promotional event held in 2013 and was meant for internal use.
The personal data that was publicly accessible through the webpage includes the names, gender, marital status, nationality, race, NRIC/passport number, date of birth, mobile phone number, home phone number, email addresses, residential addresses, and other membership account details.
At the time of the investigation, JP Pepperdine Group, which operates restaurants such as Jack's Place and Eatzi Gourmet, had approximately 30,000 members, the PDPC decision paper said.
PDPC found the company in breach of Section 24 of the Personal Data Protection Act (PDPA), and imposed the S$10,000 financial penalty. It also said the data breach could have been prevented or the impact reduced if JP Pepperdine had ensured that the webpage was inaccessible to the public from the start or by removing it once the 2013 event had ended.
1,765 AFFECTED BY PROPNEX BREACH
In another case, PDPC imposed a S$10,000 financial penalty on Propnex Realty after finding that it failed to take reasonable security measures to protect the personal data in its possession and was in breach of Section 24 of the PDPA.
The personal data of 1,765 individuals contained in the PropNex Do Not Call list, such as names, mobile and home phone numbers, full or partial residential addresses and email addresses, were accessible online via a PDF of the list dated Jul 29, 2015.
PDPC was notified after the complainant and her sisters had been receiving marketing calls and messages from various telemarketers on their mobile phones despite no consent given to be contacted. After speaking to one of the telemarketers, the complainant found out that her contact details were available online through the above-mentioned PDF.
Investigations showed that the list was disseminated internally as a PDF file in the company's Virtual Office System, which was only available to its agents and staff through authenticated login.
However, there was no password security for the list itself and the authentication for the Virtual Office System only worked for webpages and not documents such as PDF files.
"In relation to the shared folder in the VO System, this was meant for forms and templates and not sensitive documents, but this policy was neither formally recorded nor communicated to users. Over time, therefore, this design limitation remained as a vulnerability but was overlooked," PDPC noted in its decision paper.
It added: "The Commission emphasises that it takes a very serious view of any instance of non-compliance under the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA."