Firm fined $4,000 by PDPC for leak of more than 400 national servicemen's data

The Personal Data Protection Commission fined Option Gift $4,000 after the firm accidentally leaked the details of 427 national servicemen.
The Personal Data Protection Commission fined Option Gift $4,000 after the firm accidentally leaked the details of 427 national servicemen.PHOTO: ST FILE

SINGAPORE - A firm has been fined $4,000 by Singapore's privacy watchdog for the leak of the personal data of more than 400 national servicemen on June 12 last year due to a technical error.

The data comprised the log-in identifications, e-mail addresses, delivery addresses and mobile phone numbers of 427 men from the Singapore Armed Forces (SAF) and Home Team.

All had redeemed credits for service-linked rewards on an online portal, Uniqrewards, maintained by Option Gift.

Such rewards are given in recognition of a serviceman's good performance during in-camp training or courses, or to celebrate certain events, such as the birth of a child.

The information was leaked when e-mails intended for individual servicemen were sent to almost all of them by mistake because the programme script used to generate confirmation e-mails for users who had requested redemptions did not work as expected, the Personal Data Protection Commission (PDPC) found.

The PDPC, in its grounds for the decision last Thursday (June 6), found that Option Gift had breached section 24 of the Personal Data Protection Act, which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps to prevent "unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks".

The report said that as the administrator of the portal, Option Gift had full possession and control over the personal data that it has collected at all material times. Thus, it bears full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it.


"In this regard, the Commissioner found that the Organisation had failed to conduct sufficient testing before rolling out the programme script," said the report.

The report said that commissioner Tan Kiat How took into account mitigating factors, such as how Option Gift took prompt action by informing the affected individuals on the same day.

The firm also took action to prevent a recurrence of similar incidents, such as requiring the approval of Option Gift's data protection officer before authorised users can re-send confirmation e-mails.

All the affected national servicemen were also given a gift voucher worth $80 as a gesture of apology by Option Gift in July last year, noted the PDPC.