Singapore's privacy watchdog has fined 22 organisations - one of them twice - a total of $216,500 over the past two years for security breaches that exposed the personal details of Singaporeans. Another 19 organisations have been censured for their shortcomings.

The numbers compiled by The Straits Times give the clearest indication yet of how deep the problem of securing personal data runs. It has also raised concerns among experts that organisations are still not taking this issue seriously.

Of particular worry is the fact that nearly every fine issued by the Personal Data Protection Commission (PDPC) centred around the same type of offence - inadequate security measures for personal data. Experts say this points to a lack of understanding over how the data laws apply to daily operations - more than three years after the Personal Data Protection Act was fully enforced in July 2014.

Technology lawyer Bryan Tan of Pinsent Masons MPillay said: "Some companies think there is a magic bullet, that they are in the clear by putting disclaimer clauses on their website or by attending some course."

Mr Kevin Shepherdson, chief executive officer of Straits Interactive, who has trained more than 500 data protection officers this year, said that many small and medium-sized enterprises are still ignorant about the requirements of the law.

"Unless organisations proactively identify and tackle risks in their business processes and those of their third-party vendors, the same mistakes will continue to be made," he said.

Over the past two months, the three organisations that got into hot water had all failed to take reasonable security measures to protect personal data.

Online shopping service provider ComGateway and charity organisation Credit Counselling Singapore were fined $10,000 each, and social media marketing firm Social Metric was fined $18,000.

Due to a vulnerability on ComGateway's shipping webpage, the personal data of 108,085 customers was vulnerable to unauthorised access and could have been harvested by a hacker.

Meanwhile, a staff member of Credit Counselling Singapore accidentally sent out a mass e-mail to 96 individuals under its debt management programme, exposing their e-mail addresses and names.

In a more serious case, PDPC said Social Metric had "flagrantly" exposed the names, ages, e-mail addresses, contact numbers and occupations of 558 consumers, including the names and ages of 155 children, on its website without any password protection. Some of the data lay exposed for more than two years.

Social Metric conducts social media contests on behalf of clients on its website, and collects the personal data of consumers.

The case is similar to one involving PropNex Realty, which did not even password-protect access to an online document on its website, for which the realty firm was fined $10,000 in January last year. That particular document had contained the personal details of 1,765 individuals.

Similar offences also took place in 2016 when the PDPC issued its first batch of fines totalling $123,500.

The total in fines meted out last year amounted to $93,000, but observers say the drop did not mean that more companies had become more law abiding.

The Straits Times understands that some cases take up to one year to investigate, and the number of cases also depends on when consumers report them.

Lawyer Koh Chia Ling of law firm OC Queen Street said: "You can expect breaches to continue to occur because of human error."