CDP among 3 organisations fined $47,000 in total for personal data breaches

CDP received the biggest fine of $32,000. PHOTO: BT FILE

SINGAPORE - The Central Depository (CDP) and two other organisations have been fined a total of $47,000 for breaching data privacy laws.

The CDP received the biggest fine of $32,000 after it mailed dividend cheques to outdated addresses, putting more than 200 account holders at risk of having their personal data disclosed.

According to a written decision by the Personal Data Protection Commission (PDPC) published on its website on Monday (Aug 3), the CDP had mailed the cheques containing personal information such as names and NRIC numbers to outdated addresses after it migrated its software system in December 2018.

Tests of the new system, which captured account holders' updated addresses as well as historical addresses, did not include the scenario of a change of address in the automated generation of dividend cheque mailers.

This led to the mailing of dividend cheques to possibly 211 CDP account holders at their old addresses - a number deduced from the number of cheques not presented for payment.

The data breach was revealed after an account holder complained in March last year that the CDP had sent a dividend cheque to an outdated address.

The two other organisations are the Singapore Accountancy Commission (SAC) and education institute MDIS Corporation, which were fined $5,000 and $10,000 respectively for their breaches.

In the case of the SAC, a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates was mistakenly enclosed in e-mails sent to 41 unintended recipients.

As for MDIS, the information of more than 300 people, who had provided their personal data to register for its courses, was publicly available on its website. The slip-up came to light when one of those affected discovered that she was able to access a spreadsheet containing the information through a Google search of her NRIC number.

Meanwhile, another five organisations, including insurance provider FWD Singapore and beauty group Jean Yip Salon, were given warnings for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data.

The PDPC, Singapore's privacy watchdog, released documents relating to these cases on its website on Monday.

Join ST's Telegram channel and get the latest breaking news delivered to you.