Commentary

Time to step up efforts to ensure security of personal information

Despite fines, warnings and publicity, there are still weak links in places where personal data of clients is stored

It's amazing how so many organisations take data security for granted.

Over the past 2½ years, Singapore's privacy watchdog has hauled up 26 organisations - including well-known brand names - and three individuals over data-privacy complaints from consumers.

The most common complaint concerns the leakage of personal data such as mobile number, name and residential address online or to third parties.

And as investigations by the Personal Data Protection Commission have shown, some organisations did not protect such sensitive data with a password while others did not rectify security flaws on their websites or in their computer systems.

To be specific, 20 of these organisations were found guilty of this, and all of them were not even aware they had the shortcomings. Some received warnings for their negligence, while most of them received fines ranging from $1,000 to $50,000.

The highest fine of $50,000 was slapped on karaoke chain K Box for a data breach involving the details of 317,000 customers in September 2014.

Cyber criminals are not letting up, and the Singapore Government has responded radically by banning Internet access from the workstations of 100,000 public servants.
Cyber criminals are not letting up, and the Singapore Government has responded radically by banning Internet access from the workstations of 100,000 public servants. PHOTO: ISTOCKPHOTO

The most recent fines were issued last week to real-estate firm PropNex Realty and JP Pepperdine Group, which operates Jack's Place and Eatzi Gourmet restaurants. They each had to pay a $10,000 fine for lax security.

At this rate, hackers need not train on their keyboards or spend a fortune in the underground black market for malware to infect systems to steal data. There would be enough data-security slackers for hackers to have a field day and wreak some serious damage.

To be sure, the number of privacy-related complaints from consumers eased from about nine a day in 2015 to around eight a day last year, based on the latest figures from the commission.

It is hard to establish a trend based on two years' worth of data, and it remains to be seen if the decline in complaints will continue.

But what is certain is that cyber criminals are not letting up, compelling the Singapore Government to respond radically.

By May this year, Web access will be removed from the work computers of 100,000 public servants, except teachers who are on a separate network.

Surfing can be done only on dedicated Internet workstations or on one's personal smartphone or tablet. The idea is to create an "air gap" to prevent classified information from leaking on the Internet, and malware from infiltrating government internal networks.

It's time that everyone along the chain heeds the call to step up patrols. The weakest link can take down the entire chain.

At the very least, password-protect all sensitive information, or promptly remove vulnerable Web pages that open doors to internal systems.

Hopefully, the fines imposed and recent publicity will act as a wake-up call for others.

Under the Personal Data Protection Act, implemented fully since July 2014, organisations could be fined up to $1 million for failing to secure consumers' personal data in their care, among other requirements.

A version of this article appeared in the print edition of The Straits Times on February 01, 2017, with the headline 'Time to step up efforts to ensure security of personal information'. Print Edition | Subscribe