Advertising firm fined $10k for not securing personal data

Advertising firm O2 Advertising was fined $10,000 last week for breaching data privacy laws by failing to secure the personal details of more than 1,000 individuals.

Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC), released documents relating to this breach on its website yesterday.

The PDPC said the company had possession of data from an advertising campaign on behalf of a client, but did not prevent the retention of such data when it was no longer required - an offence under the Personal Data Protection Act (PDPA).

The data included information such as name, NRIC number, e-mail address and mobile number.

It was stored in two separate databases: One containing the data of 403 people that could be accessed publicly, and the other which contained the data of 1,165 people that was "at risk of unauthorised access".

PDPC said that an individual complained about the databases after he came across them when he conducted a search on Google using his name and NRIC number.

In addition to the fine meted out on Aug 28, O2 Advertising was directed to appoint a data protection officer and put in place data protection policies and practices.

Yesterday, the PDPC also released details of a $5,000 fine that was imposed on Aug 23 on employment agency Executive Link Services.

 
 
 

The organisation had failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.

According to the commission, some time before June 8, a client of Executive Link Services engaged a cyber-security company to conduct a scan of the Internet for "information relating to the client".

This cyber-security company found that it was able to access and retrieve copies of draft contracts of job candidates from the Executive Link Services' server.

PDPC said the information of 367 individuals, which included their name, address, contact number and employment history, was exposed.

A version of this article appeared in the print edition of The Straits Times on September 07, 2019, with the headline 'Advertising firm fined $10k for not securing personal data'. Print Edition | Subscribe