5 firms fined over data breaches

Five companies have been fined $117,000 in the last three weeks for failing to secure the personal data of their customers and staff.

The biggest fine of $54,000 was given to Horizon Fast Ferry, which offers ferry services between Singapore and Batam.

The Personal Data Protection Commission (PDPC) found that the company had failed to appoint a data protection officer, develop and implement data protection policies and practices, or put in place "reasonable security arrangements" to protect customers' personal data.

The privacy watchdog released documents relating to the five cases of breach of the Personal Data Protection Act (PDPA) on its website last Friday.

The Central Depository (CDP) and Toppan Security Printing were fined $24,000 and $18,000 respectively for not having reasonable security arrangements to protect CDP account holders' data from unauthorised disclosure. The data of 1,358 account holders had been printed by mistake in letters that were then sent to other account holders.

Sushi restaurant chain Genki Sushi was also fined $16,000 for failing to secure the data of about 360 current and former staff.

PDPC deputy commissioner Yeong Zee Kin said a compromised server had left the chain's systems open to a ransomware attack in September last year. The server was an off-the-shelf payroll application for staff to view electronic payslips and supervisors to confirm staff attendance.

The attacker had encrypted the data and demanded a ransom payment in exchange for decryption, PDPC said, but there was no evidence of encrypted files having been stolen or disclosed without authorisation.

A probe found that the server initially had no firewall. Even when one was installed after an IT migration, it was not configured to filter out external threats.

Tuition agency ChampionTutor was fined $5,000 for not appointing a data protection officer or having written policies and practices to ensure PDPA compliance.

Horizon Fast Ferry's fine is the highest since the $1 million slapped on SingHealth and Integrated Health Information Systems in January for a breach in June last year. The attack had compromised the personal data of 1.5 million patients, including Prime Minister Lee Hsien Loong.

A version of this article appeared in the print edition of The Straits Times on August 08, 2019, with the headline '5 firms fined over data breaches'. Print Edition | Subscribe