5 companies, including Genki Sushi and CDP, fined $117k for not securing personal data

Sushi restaurant chain Genki Sushi was fined $16,000 for failing to secure the personal data of its current and former employees. ST PHOTO: GIN TAY

SINGAPORE - Five companies have been slapped with fines totalling $117,000 in the last three weeks for breaching data privacy laws by failing to secure the personal details of their customers and employees.

The biggest fine of $54,000 - the highest in the last six months - was given to Horizon Fast Ferry, which provides ferry services between Singapore and Batam.

The Personal Data Protection Commission (PDPC) found that it had failed to appoint a data protection officer, develop and implement data protection policies and practices, and put in place "reasonable security arrangements" to protect customers' personal data.

The PDPC, Singapore's privacy watchdog, released documents relating to the five cases of breach of the Personal Data Protection Act on its website last Friday (Aug 2).

Popular sushi restaurant chain Genki Sushi was fined $16,000 for failing to secure the personal data of its current and former employees.

PDPC deputy commissioner Yeong Zee Kin said that a compromised server had left the company's systems open to a ransomware attack last September.

Investigations by the PDPC found that the server was an off-the-shelf payroll software application which lets employees view their electronic payslips and allows supervisors to confirm the attendance of their staff.

As a result of the ransomware, personal data belonging to about 360 current and former employees was encrypted by the attacker.

PDPC said a ransom payment was demanded from Genki Sushi in exchange for the decryption key, although there was no evidence of the encrypted files getting stolen or disclosed without authorisation.

PDPC found that Genki Sushi initially did not have a firewall for the server, and even after one was installed following a recent IT migration, it failed to configure the firewall to filter out external threats.

The Central Depository (CDP) and Toppan Security Printing were fined $24,000 and $18,000 respectively for not having "reasonable security arrangements to protect the data" of CDP account holders from unauthorised disclosure. The data of 1,358 account holders were printed by mistake in notification letters to other account holders and sent out.

Tuition agency Championtutor was fined $5,000 for failing to appoint a data protection officer and did not have written policies and practices to ensure its compliance with the PDPA.

The $54,000 fine on Horizon Fast Ferry is the highest since the combined fine of $1 million slapped on SingHealth and Integrated Health Information Systems (IHiS) in January this year for their mistakes during last year's SingHealth data breach.

The cyber attack in June 2018 compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

Join ST's Telegram channel and get the latest breaking news delivered to you.