Singapore privacy watchdog fines and warns 11 organisations for data breaches

K Box was fined $50,000 for not putting in place sufficient security measures to protect the personal data of 317,000 members.
K Box was fined $50,000 for not putting in place sufficient security measures to protect the personal data of 317,000 members. PHOTO: ST FILE

SINGAPORE - The country's privacy watchdog has imposed sanctions on a bumper crop of organisations including karaoke chain K Box Entertainment Group for flouting the Personal Data Protection Act.

This is the first time the Personal Data Protection Commission (PDPC) has taken action against rule breakers since the law took full effect in July 2014.

Specifically, four organisations were slapped with fines, and seven others were issued warnings or directions for failing to protect the personal data of consumers, the commission said on Thursday.

The heaviest fine of $50,000 went to K Box for leaking the name, contact number and residential address of 317,000 customers in September 2014. Under the Act, organisations that fail to protect consumers' personal data can be fined up to $1 million per breach.

Investigations by PDPC found that someone had extracted customers' information from K Box's computers and uploaded the data on file sharing website pastebin.com because the karaoke chain's security measures were lax. For instance, it did not update its computer software with the latest version, and computer account holders had weak passwords comprising only one letter in the alphabet.

K Box's IT vendor Finantech Holding was also found to be guilty as it failed to update K Box's systems that hold customer information with the latest, most secure software. The password used for the administrator account was simply "admin", making K Box's system vulnerable to hacks as well. For this, Finantech was fined $10,000.

Said PDPC chairman Leong Keng Thai: "The enforcement actions taken are not to deter the use of personal data for business competitiveness. We recognise that data is essential for innovation in today's economy.

"The key is to use it responsibly and take appropriate actions to protect it. Both the organisation and its data intermediary, such as IT vendors that provide systems and data management solutions to businesses, are expected to exercise due care and implement adequate security measures."

The two other organisations fined were the Institution of Engineers Singapore - an industry body - and health supplements supplier Fei Fah Medical Manufacturing. The former was fined $10,000, and the latter $5,000, for failing to put in place adequate security measures, affecting 4,000 members and 900 customers respectively.

The six organisations warned for lapses in handling personal data were IT retail chain Challenger Technologies and its IT vendor, Xirlynx Innovations; Full House Communications, a home show organiser; megastore Metro; the Singapore Computer Society, an industry association; and tuition service provider Yestuition Agency.

Meanwhile, tour agency Universal Travel Corporation was issued directions to strengthen its data protection policy and send staff for training, as its staff had wrongfully disclosed the personal data of 37 customers. But the agency was not fined.

PDPC has received a total of 667 complaints since the law came into full effect, 92 per cent of which were resolved between the organisations involved and consumers.

Common complaints include the collection, use and disclosure of personal data without notification or consent, as well as the disclosure of personal data through lack of protection by these organisations.