Singtel, SPH Magazines fined over data breaches

They are among four firms fined $66,000 in total; three others also found flouting law

Telco Singtel has been fined $9,000 for yet another data breach involving its My Singtel mobile app.

Singtel, SPH Magazines and Royal Caribbean Cruises (Asia) were among the latest of seven organisations that flouted the data protection law. Four of them have been fined $66,000 in total, noted the Personal Data Protection Commission (PDPC) on Tuesday.

Singtel encountered a technical issue during its migration to a new billing system in early 2018, resulting in the personal data of 750 mobile subscribers being exposed.

The PDPC considered the firm's prompt action to mitigate the impact and imposed a $9,000 penalty.

A wholly owned unit of media and property group Singapore Press Holdings, SPH Magazines, was fined $26,000.

SPH Magazines operates, hosts and maintains the HardwareZone forum site, an online Internet portal for members to engage in discussions.

A hacker got into the system in 2017 and accessed a senior moderator's account, which the intruder then used to retrieve the user profiles of members.

The system had a total of 685,393 user profiles at the time.

Investigations showed that the senior moderator's account was used to perform 704,764 attempted views of members' user profiles using networks that did not reveal the actual source IP (Internet Protocol) address, between Sept 22 and Sept 30 that year.

The moderator's password had not been changed in 10 years and did not meet the length and complexity standard SPH Magazines implemented for its employees.

The account had also been accessed as early as December 2015.

Royal Caribbean Cruises notified the PDPC last year that its vendor's system had been subject to a ransomware attack, resulting in sensitive personal data of about 6,000 of its customers being accessed.

The cyber attacker had left a ransom message demanding payment of 0.08 bitcoin for the deleted data.

The operator said 25 of its employees' personal data was also compromised.

The company was fined $16,000.

The wholly owned unit of the Singapore Contractors Association, SCAL Academy, had not taken reasonable security steps to protect the personal data of 3,628 individuals who attended its programmes, including their name, race, date of birth, identity card number, address and their company name.

These documents were publicly accessible when an online search was done in late 2018.

SCAL Academy received a $15,000 penalty.

The PDPC also sent NTUC Income and AXA Insurance warnings for breaches.

The PDPC imposed directions on Henry Park Primary School Parents' Association for failing to have reasonable measures to protect personal data, not appointing a data protection officer and not having written policies and practices to ensure compliance with the data protection law.


A version of this article appeared in the print edition of The Straits Times on February 13, 2020, with the headline 'Singtel, SPH Magazines fined over data breaches'. Subscribe