Virtual telco Zero1 has become the first telco here to breach data privacy laws, incurring a $4,000 fine last month for failing to secure the personal details of its customers, such as names, NRIC numbers and addresses.

The Personal Data Protection Commission (PDPC) released a document relating to this breach on its website on Thursday.

According to the privacy watchdog, the telco had contracted courier services provider XDel Singapore in March last year to deliver SIM cards to its subscribers, but the latter did not adequately secure its online system for tracking delivery. This resulted in the unauthorised access of the personal data.

XDel was fined $7,000 for causing the breach.

To subscribe for Zero1's mobile services, customers would register on its website, and the telco would provide XDel with the customers' information - names, NRIC numbers, delivery addresses and contact numbers.

A subscriber could authorise another person to receive delivery of the SIM card by providing the person's particulars to Zero1.

Each subscriber is then provided with a unique Web link to access a delivery notification website, which would show the status of the delivery.

PDPC said that the information was wrongfully accessed through these sites.

In the first batch of Zero1's deliveries in March last year, more than 330 unique Web links were sent out, allowing for access to the personal data of 292 individuals. PDPC said there was unauthorised access to 175 of these unique Web links.

This was found after a post on an online forum warned other users that it was possible to access the information of Zero1 subscribers.

XDel had developed the delivery system in-house, and it admitted to the PDPC that it had failed to adequately test the system to make sure it was safe.

The PDPC said Zero1 had also failed to make reasonable security arrangements.

In a document on the commission's decision, PDPC deputy commissioner Yeong Zee Kin said the data had originated from Zero1's possession and control.

"Zero1 had the obligation under Section 24 of the PDPA to protect the personal data of its customers and that of the authorised recipients," he said.

Section 24 of the Personal Data Protection Act (PDPA) requires organisations to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.

In a separate document uploaded on Thursday, PDPC said management consultancy firm Amicus Solutions and financial consultant Ivan Chua were issued penalties of $48,000 and $10,000, respectively, for breaches of the PDPA.

Amicus Solutions had failed to notify and obtain consent for the disclosure of individuals' personal data which it sold to Mr Chua, who used the data for telemarketing purposes. These fines were issued on Aug 30.