Fined for leaking 8,000 people's personal data

Printing firm hired by insurer among eight parties rapped for personal data breaches

A printing firm hired by an insurance company sent erroneous account statements to policyholders that resulted in more than 8,000 people having their personal data leaked.

The data breach by Toh-Shi Printing Singapore was its second such infringement and it was fined $25,000 last month by the Personal Data Protection Commission Singapore (PDPC) for failing to implement adequate checks in processing personal data.

It was one of eight parties dealt with by the commission for data breaches in the last six months, according to the PDPC website. In the previous update in April, 11 defaulters had been taken to task.

Under the Personal Data Protection Act (PDPA), parties that fail to protect personal data can be fined up to $1 million per breach.

The breach by Toh-Shi involved policyholders under the Public Officers Group Insurance Scheme (Pogis), for which Aviva was the appointed insurer.

  • Other cases

  • SEPT 23: ABR Holdings warned for failing to reasonably secure the Swensen's Kids Club website to prevent unauthorised disclosure of personal data.

    SEPT 21: Fu Kwee Kitchen Catering Services and Pixart fined $3,000 and $1,000 respectively for inadequate measures to prevent unauthorised access to customers' personal data on their websites.

    AUG 11: Mr Justin Chua fined $500 for disclosing personal data of two of his landlord's tenants to a third party without consent.

    JULY 25: Spear Security Force warned for failing to prevent unauthorised access to personal data in visitor log book.

    JUNE 24: AIA Singapore warned for failing to ensure disclosure of policyholder's personal data to a third party was for a reasonable purpose.

A total of 7,794 Pogis policyholders received erroneous statements that disclosed the personal data of 8,022 individuals, including the policyholders' dependants.

Toh-Shi, which provides mail-out services of all correspondence for Aviva and data-printing services for ad hoc projects, admitted the data breach occurred because its staff had failed to comply with the company's own security measures and procedures.

Toh-Shi sent out 7,794 corrected statements together with an apology letter prepared by Aviva, and a $50 shopping voucher, to affected policyholders. Aviva also waived a month's insurance premium as a token.

The commission said in its decision grounds that the personal data disclosed "are of a sensitive nature, not merely from a financial perspective but can also be socially embarrassing".

PDPC chairman Leong Keng Thai said the breach could have been avoided if Toh-Shi had followed standard operating procedures. For its first breach, about a year ago, Toh-Shi had been fined $5,000.

"The commission emphasises that it takes a very serious view of any instance of non-compliance under the PDPA, and it urges organisations to take the necessary action to ensure they comply with their obligations under the PDPA," wrote Mr Leong.

Also last month, GMM Technoworld, a retailer of products like waterproof gadgets and measuring instruments, was fined $3,000 for inadequate security on its official website. This led to unauthorised disclosure of the personal data of some 190 customers.

The commission noted that GMM took immediate steps upon being notified to stop the breach and implemented corrective measures to protect customers' data.

The commission also dismissed a case brought against Comfort Transportation and CityCab last month.

Two complaints were made against the cab operators for disclosing taxi drivers' mobile phone numbers to customers who had booked the cabs, as part of the booking process.

Commission member Yeong Zee Kin ruled in decision grounds that both organisations were not found to be in breach of consent or notification obligations because the mobile phone numbers of taxi drivers were used as business contact numbers.

The 11 organisations rapped earlier in April included household names K Box Entertainment Group, Challenger Technologies, Metro and the Singapore Computer Society, which all failed to protect customers' personal data.

A version of this article appeared in the print edition of The Straits Times on October 26, 2016, with the headline 'Fined for leaking 8,000 people's personal data'. Print Edition | Subscribe