Straitstimes.com header logo

Tanah Merah Country Club fined $4,000 over data breaches

Sign up now: Get ST's newsletters delivered to your inbox

The breaches include the e-mail addresses of 155 club members and 284 members of the public.

PHOTO: SHIN MIN DAILY NEWS

Ryan Goh

Follow topic:
SINGAPORE - An employee of the Tanah Merah Country Club (TMCC) did not change her e-mail account password - TMCC@1234 - for nearly five years.
After hackers managed to gain access to the account and personal data of 467 individuals, the club has now drawn a fine of $4,000 over the breaches.
In a written decision published on Friday (Feb 18), the Personal Data Protection Commission, Singapore's privacy watchdog, said the club failed to take reasonable steps to protect personal data in its possession, in the incident on Feb 22 last year.
The breaches include the e-mail addresses of 155 club members and 284 members of the public - leading to phishing e-mails being sent to them - and the names, NRIC numbers and e-mail addresses of a further 28 individuals.
The report attributed the breaches to the employee for not changing her account password of "TMCC@1234" since 2016.
This is in spite of the club informing its employees in August 2018 of the need to do so once every three months, and to use a password combination of uppercase, lowercase and special characters.
In September 2019, TMCC sent another newsletter to inform staff of the implementation of a domain password policy. This meant that the password requirements became system enforced.
However, TMCC failed to develop its password requirements into writing, which meant the employee did not receive system prompts to change her password.
In addition, the club failed to provide training for its staff on how to ensure compliance with the obligations under the Personal Data Protection Act.
These contravened Section 24 of the Act, which states that the lack of a written policy may lead to any guidelines being ineffective and which also requires the training of all employees who handle personal data.
The commission said it "wishes to emphasise that staff training is a critical and necessary component to ensure that an organisation is well placed to protect the personal data in its possession and/or control".
In addition, previous TMCC newsletters to its employees cited "TMCC_Password_123" as an example of what amounts to a good password.
However, the commission disapproved of it, noting that it incorporates the organisation's name, which is "not difficult to guess and crack".
Following the incident, TMCC has engaged and implemented measures recommended by an IT forensic vendor to improve its cyber security.
It has also documented its password policy, implemented regular updates and conducted training on personal data protection.
See more on

E-paper

Newsletters

Podcasts

RSS Feed

About Us

Terms & Conditions

Privacy Policy

Need help? Reach us here.

Advertise with us

Download the app

Get unlimited access to exclusive stories and incisive insights from the ST newsroom
Subscribe Placeholder
MDDI (P) 046/10/2025. Published by SPH Media Limited, Co. Regn. No.202120748H. Copyright © 2026 SPH Media Limited. All rights reserved.