Firm fined $4k for leak of personal data of over 400 servicemen

The Personal Data Protection Commission fined Option Gift $4,000 after the firm accidentally leaked the details of 427 national servicemen.
The Personal Data Protection Commission fined Option Gift $4,000 after the firm accidentally leaked the details of 427 national servicemen.PHOTO: ST FILE

A firm has been fined $4,000 by Singapore's privacy watchdog for the leak of the personal data of more than 400 national servicemen on June 12 last year due to a technical error.

The data comprised the login identifications, e-mail addresses, delivery addresses and mobile phone numbers of 427 men from the Singapore Armed Forces and Home Team.

All had redeemed credits for service-linked rewards on an online portal, Uniqrewards, maintained by Option Gift.

Such rewards are given in recognition of a serviceman's good performance during in-camp training or courses, or to celebrate certain events, such as the birth of a child.

The information was leaked when e-mails intended for the group of servicemen were shared mostly with all of them by mistake because the program script used to generate confirmation e-mails for users who had requested redemptions did not work as expected, the Personal Data Protection Commission (PDPC) found.

The PDPC, in its grounds for the decision last Thursday, found that Option Gift had breached Section 24 of the Personal Data Protection Act, which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps to prevent "unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks".

The report said that as the administrator of the portal, Option Gift had full possession and control over the personal data that it has collected at all material times. Thus, it bears full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it.

 

"In this regard, the Commissioner found that the organisation had failed to conduct sufficient testing before rolling out the program script," said the report.

INSUFFICIENT TESTING

The Commissioner found that the organisation had failed to conduct sufficient testing before rolling out the program script.

REPORT BY THE PERSONAL DATA PROTECTION COMMISSION

The report said Commissioner Tan Kiat Ho took into account mitigating factors, such as how Option Gift took prompt action by informing the affected individuals on the same day.

The firm also took action to prevent a recurrence of similar incidents, such as having only authorised users, with the approval of the Option Gift's data protection officer, re-send confirmation e-mails.

All the affected national servicemen were also given a gift voucher worth $80 each as a gesture of apology by Option Gift in July last year, noted the PDPC.

A version of this article appeared in the print edition of The Straits Times on June 10, 2019, with the headline 'Firm fined $4k for leak of personal data of over 400 servicemen'. Print Edition | Subscribe