Creative Tech, MSIG's service provider, PeopleSearch, 4 other entities penalised for personal data breach

Tay Peck Gek
Published Fri, Jan 10, 2020 · 05:18 AM
Share this article.

SEVEN organisations were found in breach of the Personal Data Protection Act (PDPA) and were fined S$90,000 in total penalties. The companies included Creative Technology, MSIG's service provider and a recruitment company that was attacked by ransomware.

Among the seven, Globalsign.in, the email marketing service provider of MSIG Insurance (Singapore) was slapped with the highest penalty, S$34,000 for having its mass emailing system accessed without authorisation in August 2017 and abused to send spam emails to 149,172 MSIG's customers.

Creative was handed a S$15,000 penalty. The company did not install patches to address a vulnerability in the software used to operate and host an online forum. This resulted in the unauthorised disclosure of personal data of forum users - 484,512 of them whose account information was accessed and extracted in May 2018.

PeopleSearch was a victim of ransomware attack last March. The company offering professional recruitment and staffing services in Asia received a ransom note asking for payment in exchange for the decryption key to the files of 944 individuals' personal information. PeopleSearch admitted that security scans, penetration testing or patching of the server had not been performed for at least 12 months preceding the incident. It was fined S$5,000.

A SAFRA National Service Association employee inadvertently leaked the personal data of 780 shooting club members in September 2018. When he sent out emails to 491 of these members, the emails had attached spreadsheets that included other members' names, National Registration Identity Card (NRIC) numbers, dates of birth, addresses, telephone numbers and email addresses. The association was fined S$10,000.

Society of Tourist Guides (Singapore) had disclosed sensitive information of 111 members in March last year, exposing their NRIC numbers, driving licence and photographs through links on its website. The publicly accessible directories on the website were found to store images of identification documents, which contained data of the affected members including their thumbprints, addresses and dates of issue of the documents. The society was given a S$20,000 penalty.

National Healthcare Group did not restrict access through the Internet to a list of 129 general practitioners (GPs) who had registered to be partner doctors of the organisation. Personal information of five members of public who submitted feedback on the website was also publicly accessible. For this, the organisation has to pay a penalty of S$6,000.

Personal data of seven L'Oreal Singapore customers had been exposed to the risk of unauthorised disclosure, as a result of the company's failure to ensure appropriate testing of its website or make other security arrangements to protect the personal data. The company instructed its vendor to make some changes to the website in November 2018.

However, it failed to scope the user acceptance tests to include the normal functioning of the website, in particular the login and caching functions of the customer login page. This resulted in the personal data of a customer to be cached when he or she logged in, and this data would then be disclosed to customers who subsequently logged in until the next cache refresh. Having considered the representations and taking into account all the relevant circumstances, the Personal Data Protection Commission issued a warning to the company.

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to  t.me/BizTimes

Companies & Markets

SUPPORT SOUTH-EAST ASIA'S LEADING FINANCIAL DAILY

Get the latest coverage and full access to all BT premium content.

SUBSCRIBE NOW

Browse corporate subscription here