Advertising firm fined $10k for not securing personal data

SINGAPORE - Advertising firm O2 Advertising was hit with a $10,000 fine last week for breaching data privacy laws by failing to secure the personal details of more than 1,000 individuals.

Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC), released documents relating to this breach on its website on Friday (Sept 6).

According to the PDPC, the company had possession of data from an advertising campaign on behalf of a client, but did not stop the retention of such data when it was no longer required - an offence under the Personal Data Protection Act (PDPA).

This data include personally identifiable information like name, NRIC number, e-mail address, residential address and their mobile number.

It was stored in two databases: one containing the data of 403 people that was able to be publicly accessed, and the other which contained the data of 1,165 people and was "at risk of unauthorised access".

PDPC said that an individual had complained about the databases after he came across them when he conducted a search on Google using his name and NRIC number.

In addition to the fine meted out on Aug 28, O2 Advertising was directed by the PDPC to appoint a data protection officer and put in place data protection policies and practices.

On Friday, the PDPC also released details of a $5,000 fine that was imposed on Aug 23 on employment agency Executive Link Services.

The organisation had failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.

According to the commission, some time before June 8, a client of Executive Link Services had engaged a cyber-security company to conduct a scan of the Internet for "information relating to the client".

This cyber-security company found that it was able to access and retrieve copies of draft contracts of job candidates from the Executive Link Service's server.

PDPC said that the information of 367 individuals, which included their name, address, contact number, e-mail address, education level, salary expectation and employment history were exposed.

In July, five companies were hit with fines totalling $117,000 for breaching data privacy laws by failing to secure the personal details of their customers and employees.

This included the highest fine in six months of $54,000, which was levied on Horizon Fast Ferry. The firm provides ferry services between Singapore and Batam.

The highest fine the commission has imposed is $1 million.

SingHealth and Integrated Health Information Systems (IHiS) received the combined fine in January this year for their mistakes during last year's SingHealth data breach.

The cyber attack in June 2018 compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.