PropNex fined $10,000 for data breach

Property agency inadvertently caused details of 1,765 people to be leaked online

Singapore's privacy watchdog has fined PropNex Realty $10,000 after it inadvertently caused the personal data of 1,765 people to be leaked online. It is the second time the real estate industry has been in the news in the last three years over data privacy issues.

The Personal Data Protection Commission had fined an agent from Huttons Asia $27,000 in 2014 for sending text messages to numbers listed on the Do Not Call registry, which is covered under the Personal Data Protection Act.

The commission started probing PropNex in December 2015 following a complaint from an unnamed woman that her name and mobile number were in an unsecured PDF document freely available online.

She alleged that she and her sisters - whose numbers were also in the PDF file containing a list of do-not-call numbers - had been receiving unsolicited marketing calls and messages from telemarketers, including moneylenders.

In a decision paper issued earlier this week, the commission said PropNex had removed the PDF file in January last year, as told.

But by then, the file listing one item or all of the information - name, mobile number, residential address and e-mail address - of 1,765 individuals had been on the Internet for several months.

PASSWORD PROTECTION

Immediately after notification, systems and procedures were enhanced... All such information is now protected with a password.

PROPNEX SPOKESMAN CAROLYN GOH, noting that the leak was unintentional.

The PDF file was first uploaded in July 2015 on a computer system meant only for internal sharing by PropNex agents and staff. But the system had a huge security flaw: Although a password was required to access webpages hosted by the system, no password was needed to access documents such as PDF files.

A simple Google search would reveal the details in the PDF file.

PropNex did not detect the flaw for five months despite having periodic testing of its systems.

It was found guilty of failing to take reasonable security measures to protect the personal data in its possession or under its control. Organisations flouting the Act, in force since July 2014, can be fined up to $1 million.

The commission also directed PropNex to scan the system for more vulnerabilities, and banned the sharing of sensitive files on the system among its agents until the security flaw is fixed.

PropNex's holding company, P&N Holdings, said the leak was unintentional. PropNex spokesman, Ms Carolyn Goh, told The Straits Times: "Immediately after notification, systems and procedures were enhanced... All such information is now protected with a password."

Earlier this week, the commission fined JP Pepperdine Group, which operates Jack's Place and Eatzi Gourmet restaurants, $10,000 for failing to secure a webpage where its 30,000 members' personal data was hosted.

A version of this article appeared in the print edition of The Straits Times on January 27, 2017, with the headline 'PropNex fined $10,000 for data breach'. Print Edition | Subscribe