Is your confidential info safe? More can be done to beef up personal data protection rules, say experts

Personal Data Protection Act rules serve as the minimum standard for the protection of personal data in Singapore. PHOTO: ST FILE
Aqil Hamzah
Updated
Jan 29, 2024, 05:44 AM
Published
Jan 28, 2024, 05:00 AM

SINGAPORE - The personal data of more than 320,000 people was allegedly stolen from healthcare provider Fullerton Health Group some months ago and put up for sale on an online portal popular with hackers.

The person – whose identity is unknown – said the data being sold belonged to patients who had visited a Fullerton clinic in Singapore. Fullerton has more than 30 clinics in its stable, including one in Shenton Way.

On Dec 30, 2023, a sample containing the personal details of 28 people was put up for sale online.

The seller claimed that the data – available for US$500 (S$672) – was stolen some time in August 2023, in an attempt to falsely pass it off as new information.

However, it was merely a rehash of information belonging to Fullerton Health customers stolen in October 2021 in a data breach, which led to the personal details of 133,866 patients and 23,034 employees of its corporate clients being leaked.

The personal information in these files included identity card numbers, contact details, bank account numbers and codes and health information.

Fullerton Health was fined $58,000 by the Personal Data Protection Commission (PDPC) in June 2023 over the breach.

PDPC, in its findings, said it took into account Fullerton Health’s annual turnover, and settled on the five-figure sum as a “proportionate and effective” penalty that would serve as a deterrent.

Fullerton Health’s revenue crossed $800 million in 2021, when the maximum financial penalty that could be imposed under the Personal Data Protection Act (PDPA) was $1 million.

Changes to the law in October 2022 meant that errant firms face a maximum fine that works out to 10 per cent of a firm’s annual turnover in Singapore, or $1 million, whichever is higher.

However, since April 2016, the highest recorded penalty imposed on a firm in breach of data protection rules has been $750,000, in 2019. In that case, information technology vendor Integrated Health Information Systems (IHiS) was penalised after a cyber attack involving SingHealth, which compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

SingHealth was not spared either – it had a $250,000 fine imposed on it despite delegating its cyber-security operations entirely to IHiS.

But are these penalties heavy enough to force businesses to make sure critical data is better protected?

More On This Topic
Websites of all S’pore public hospitals, polyclinics back up after crash lasting 7 hours
New battleground takes shape as nations gather cyber forces

Prevention is better than cure

PDPA rules came into force on Oct 15, 2012, and serve as the minimum standard for the protection of personal data in Singapore. The law aims to balance the right of individuals to protect their personal data and the need for organisations to collect, use or disclose data for legitimate and reasonable purposes. 

Organisations are required to first get consent before being allowed to get hold of personal data belonging to customers or clients, and use it for any purpose. 

When a data breach occurs, the company is required to inform the PDPC if it affects at least 500 people. If it involves personal data that is likely to result in significant harm if compromised, then the company will need to inform both the PDPC and those who are affected.

Fines help to hold organisations accountable, but such penalties are ultimately reactive, said Ms Joanne Wong, vice-president of international markets at cyber-security firm LogRhythm.

“They may have limited impact in preventing further breaches from happening again,” she added.

Worse, once someone’s personal information is put up online, it can be abused in many different ways.

Sometimes, this may not always happen immediately, especially since the Internet has a long memory, said Mr Kevin Reed, chief information security officer at cyber-security firm Acronis.

Already, fraudsters have been making use of stolen data to craft personalised phishing campaigns, and trying to pass themselves off as trusted businesses or retailers by using victims’ personal information in correspondences.

When personal data is compromised, it could lead to identity theft and financial loss as cyber criminals make use of information such as identity card numbers and bank account details to impersonate individuals.

Instead of simply relying on penalties as an incentive for organisations to take data security seriously, both experts said stronger pre-emptive measures need to be adopted.

Tougher rules, for instance in the form of higher industry standards, and encouraging the sharing of best practices, would be a more holistic approach, said Ms Wong.

The approach now is punitive and reactive, and the focus could shift to one that is more preventive, she added.

Mr Steve Tan, a partner and deputy head of technology, media and telecommunications at law firm Rajah and Tann, said the PDPA is not meant to be “punitive or retributive in nature”.

What is clear is that the PDPC has been effective in enforcing the rules, based simply on the number of published decisions – about 300 since 2014 – put up on its website.

The law is robust enough, but Mr Tan said he hopes for provisions that will set higher standards for IT vendors. He added that in several cases he was involved in, companies were found to have flouted PDPA rules because of negligence on the part of such third-party vendors.

He said: “When it comes to small and medium-sized enterprises, a lot of the time, they don’t have money for their own IT teams, so they outsource.

“If the vendors they get aren’t doing their jobs properly, these businesses wouldn’t know any better. But when a data breach occurs, they’ll be held responsible as well, since they’re the ones controlling the data.”

Mr Reed said a rethink about data collection could also be useful, as companies tend to collect more data than they need.

He said: “Unfortunately, there’s this perception that companies will lose their competitive edge if they don’t collect all the data that they can, but is that really necessary?

“It’s actually a liability, and while they need to exercise more care in their handling of it, they should also question if they really need every piece of information from their customers.”

More On This Topic
Love, Bonito fined $24,000 over 2019 data breach
What are your legal options when your service provider exposes your data?

Would harsher financial penalties help?

In other parts of the world, the maximum financial penalty that can be imposed on companies that have experienced data breaches tends to be higher than in Singapore.

Australia in 2022 increased the maximum amount to A$50 million (S$44 million), three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the given period, whichever is higher.

The adjusted turnover refers to a company’s turnover during the period of the breach, instead of its annual figure.

In the United States, different states have their own ways of assessing how much the penalties need to be.

However, the US Federal Trade Commission, which oversees consumer privacy and security, has regularly levied fines of millions of dollars.

In 2019, American credit reporting agency Equifax was made to pay at least US$575 million (S$772 million) as part of a settlement after a 2017 data breach exposed the data of 147 million customers. Some of the money was given to customers as compensation.

The European Union’s General Data Protection Regulation (GDPR) on the other hand sets the amount at €20 million (S$29.2 million) or 4 per cent of an organisation’s worldwide annual revenue, whichever is higher.

In the aftermath of its exit from the EU or Brexit, Britain put in place its own version of GDPR laws. The maximum fine is similar – set at £17.5 million (S$29.9 million) or 4 per cent of an organisation’s worldwide annual revenue.

Although fines in Singapore have not reached such amounts, and sometimes seem like a small sum, Mr Tan said the law has to be neutral. For instance, the fine issued to a person who parks on a double yellow line is not pegged to the person’s annual income.

In response to queries, a PDPC spokesman said: “Generally, financial penalties imposed on organisations will be calibrated based on certain considerations, including the scale and egregiousness of the incident.”

He added that the regulator will not hesitate to impose high penalties in appropriate and deserving cases.

Those who have suffered some form of loss or damage as a direct result of the data breach can also pursue a civil action against the organisation that held the data, but these are few and far between, said Mr Tan.

Mr Jonathan Kok, who is a partner in the technology and intellectual property team at Withers KhattarWong, said that unlike in the US, where class-action lawsuits are common, it is rare for such actions to be undertaken in Singapore. “This could be due to several factors, including the perceived difficulty in proving direct harm, legal costs and the relatively swift response of regulatory bodies like the PDPC,” he added.

Forcing businesses to pay compensation as part of the financial penalties could also be a double-edged sword, he said, as it might lead to higher operational costs for businesses, which might then be passed on to consumers.

Ultimately, Mr Reed said, forcing firms to compensate data breach victims will not lead to better outcomes.

He said: “It’s a lost cause. The data’s already out there, and companies will not magically become more secure just by making them pay more in fines.

“You cannot reimburse people who have had their data stolen, since it can be used by anyone, anytime down the road. No single payment can compensate for that.”

More On This Topic
Need for S’pore to develop strong capabilities to tackle digital, security threats: Teo Chee Hean
Data incidents in Singapore’s public sector on the rise, 182 recorded in 2022

Singapore firms under siege

In 2023 alone, The Straits Times reported several data breaches involving Singapore companies.

In many of the cases, people’s personal data is put up for sale on the Dark Web – a part of the Internet where illegal products and services can be found.

Often, they are the handiwork of ransomware gangs – groups of cyber criminals that extort firms by encrypting their data.

Cyber-security firm Palo Alto Network’s Unit 42 – in its 2023 Ransomware and Extortion Report – said gangs use data theft as a form of extortion.

Between mid-2021 and late 2022, 53 per cent of ransomware incidents involved negotiations after cyber criminals threatened to leak stolen data, the report said.

The trend is expected to continue because the tactic works, it added.

A separate report by cyber-security firm Sophos found that Singapore had the highest rate of ransomware attacks in the world – 84 per cent of Singapore organisations surveyed reported being victims, compared with 65 per cent the year before.

The Cyber Security Agency of Singapore warned in 2022 that ransomware attacks are expected to climb amid rapid digitalisation worldwide. It added that the number of attacks was up 54 per cent here from 2020 to 2021.

In December alone, at least 10 Singapore companies allegedly suffered data breaches, according to threat intelligence platform FalconFeeds.io. Ransomware gangs were responsible for the breaches in many of the cases.

More On This Topic
Hacker leaks Cortina Watch’s data online, including customer details and sales tactics
Over 40,000 Goldheart customers’ data allegedly leaked online; PDPC investigating

One of them, ASA Holidays, was allegedly targeted by the BianLian gang, which claimed to have access to 736GB of the travel agency’s data. This included internal e-mail correspondences, and the personal data of clients.

ST was unable to independently verify the allegations, as samples were not provided on the ransomware gang’s website on the Dark Web. Only the personal information of several employees, including the agency’s founder, was made available. ASA Holidays declined to comment.

However, PDPC on Dec 21 said it was aware of the report and had contacted the travel agency for more information.

A week earlier, another Singapore firm – Commonwealth Capital – was hit by the same ransomware gang.

This time, it claimed to have access to 2TB of the investment firm’s data, although, again, no samples were provided.

Commonwealth Capital group chief human resources officer Audrey Koh said her firm was the victim of a cyber attack, but declined to give details, including how many people were affected.

She said the firm has taken steps to protect the interests of employees and partners, including informing them of the incident. Reports have also been lodged with the police, the PDPC and the Singapore Cyber Emergency Response Team.

Mr Nathan Hall, the vice-president for Asia-Pacific and Japan at data management firm Pure Storage, said such cyber attacks and data breaches are expected to become increasingly common in the coming years.

The situation is expected to “get worse as the world increasingly digitalises”, he added.

He said: “With technological advancements outpacing regulations, there is an urgent need to rethink how we approach data protection.”

Mr Scott Jarkoff, the director for the strategic threat advisory group for the Asia-Pacific and Japan, and Europe, Middle East and Africa at cyber-security firm CrowdStrike, said the impacts of such breaches have increased as well.

These could range from loss of customer trust and reputational damage to a complete inability to conduct business and, eventually, a halt in operations.

Mr Jarkoff said: “Sometimes, an initial data breach is just the first step in a longer intrusion campaign targeting an organisation for further exploitation. The best way to protect against cyber attacks is by preventing breaches in the first place.”

More On This Topic
WhizComms data breach: About 50% of customers affected, notified on May 10
The Gist 2023: AI, malware scams and other key tech developments in Singapore

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top