Singapore penalises firms for data breaches

Government fines organisations and issues warning to several others for breaching the country's Personal Data Protection Act, including local IT retailer Challenger and Chinese handset maker Xiaomi.
Written by Eileen Yu, Senior Contributing Editor

Several organisations in Singapore have been fined and issued warnings for breaching the country's Personal Data Protection Act (PDPA), including local IT retail chain Challenger Technologies and Chinese handset maker Xiaomi.

The Personal Data Protection Commission (PDPC) said Thursday that it had imposed financial penalties of various amounts to four organisations, which had failed to implement adequate security measures to safeguard the personal data of its customers.

Singapore's PDPA was tabled in 2012 following years of deliberation and came into full effect in July 2014. The act does not apply to the public sector, including government ministries and agencies.

K Box Entertainment Group was fined S$50,000 for its failure to put in place adequate data protection policies and security safeguards as well as not having a data protection officer. The local karaoke chain has a membership of 317,000. Its IT vendor, Finantech Holdings, which was responsible for managing its content management system, also was fined S$10,000.

K Box in September 2014 suffered a data leak when its database was breached by a hacker group, The Knowns, which affected various customer information including e-mail addresses, contact numbers, birth dates, and membership details.

The Institution of Engineers in Singapore as well as Fei Fah Medical Manufacturing were fined S$10,000 and S$5,000, respectively, for their failure to implement sufficient security measures to safeguard the data of their members and customers.

The PDPC issued directives and warnings to seven other organisations, which would need to improve their data protection policies and measures. Challenger was warned about lapses in its handling of personal data, as was retail chain Metro and tuition agency Yestuition Agency. IT vendor Xirlynx Innovations and IT industry group Singapore Computer Society also were found to have less than adequate data management practices.

Tour agency Universal Travel Corporation was issued a directive for unauthorised disclosure of personal data belonging to 37 customers.

Xiaomi's Singapore outfit was instructed to improve its compliance after the PDPC determined the Chinese handset maker had signed up customers for its cloud messaging services by default and without notifying users. Another complaint lodged against Xiaomi for disclosing personal data to third-party marketers without consent was dismissed after the PDPC found the claim to be unsubstantiated.

In deciding on the necessary enforcement actions, the commission said it assessed the severity of non-compliance such as whether the organisations had taken reasonable measures to prevent the data breach and whether they had data protection policies and processes in place. The number of individuals affected as well as time taken to rectify the data breach after it had been identified also were taken into consideration.

PDPC Chairman Leong Keng Thai said: "The enforcement actions taken are not to deter the use of personal data for business competitiveness [as] we recognise that data is essential for innovation in today's economy. The key is to use it responsibly and take appropriate actions to protect it.

"Both the organisation and its data intermediary, such as IT vendors that provide systems and data management solutions to businesses, are expected to exercise due care and implement adequate security measures," Leong explained.

Since the act came into effect, the commission had received 667 compliances, of which 92 percent were resolved through investigation and facilitation between the organisations and individuals.

Editorial standards