SINGAPORE: The Personal Data Protection Commission (PDPC) has taken enforcement actions against 11 organisations for breaching the Personal Data Protection Act (PDPA).
Five organisations were issued direct warnings, four of which included financial penalties, the PDPC said on Thursday (Apr 21).
PDPC imposed a financial penalty of S$50,000 on karaoke chain, K Box Entertainment Group, for not having sufficient security measures to protect the personal data of 317,000 members. Details such as their contact number, email address, NRIC number and date of birth were leaked on a publicly accessible website after the company's database was hacked.
The PDPC found that K Box did not update security patches to ensure its IT system security was sufficiently robust and it did not have a Data Protection Officer to develop or implement data protection policies. There was also weak control of access to personal data.
A financial penalty of S$10,000 was also imposed on the IT vendor in charge of K Box's content management system, Finantech Holdings, for failing to implement proper and adequate protective measures for the personal data in the system it had built and managed for K Box, PDPC said.
The use of the weak password "admin" for the administrator account also made the system vulnerable to hacks, it added.
Other organisations that faced financial penalties include the Institution of Engineers, Singapore and health supplements supplier, Fei Fah Medical Manufacturing.
Warnings were also issued to six others including Challenger Technologies, Metro, Xirlynx Innovations, Full House Communications, Singapore Computer Society and Yes Tuition Agency.
Since the PDPA came into full effect in July 2014, the PDPC has received 667 complaints. Of these, 92 per cent of the complaints have been resolved through investigation and facilitation between the respective organisations and individuals.
“The common issue with the breaches has a lot to do with how they have adopted IT practices that aren’t so good,” said PDPC Chairman Leong Keng Thai. “A lot of this could have been avoided if they think about the fact that they’re handling sensitive information, just as they would handle commercially valuable information.”
“If they had been done properly, many of these breaches could have been avoided.”
That said, enforcement is not about deterring organisations from using personal information or data, Mr Leong. “We recognise that data, including personal data, is essential to innovation in today’s economy. So what we’re saying is, use the information for business competitiveness, but use it responsibly, and take appropriate measures to protect personal data information.”
He added that many of the 11 organisations have already taken action to sort out the identified weaknesses.