Eleven organisations fined, warned for data protection breaches

THE Personal Data Protection Commission (PDPC) of Singapore has taken enforcement action against 11 organisations for breaching their data protection obligations under the Personal Data Protection Act (PDPA).

One of the offending organisations is K Box Entertainment Group, which has been imposed a fine of S$50,000 - the largest financial penalty announced on Thursday. K Box had not put in place sufficient security measures to protect the personal data of 317,000 members - these were found to have been leaked and uploaded on a public website in September 2014 - or adequate data protection policies, or appoint a data protection officer.

Finantech Holdings, the IT vendor in charge of K Box's content management system, has also been imposed a penalty of S$10,000. It did not "patch security vulnerabilities" in K Box's IT system which held its customers' personal data. Moreover, the password used for the administrator account was "admin", a weak password according to the PDPC.

The Institution of Engineers Singapore was fined S$10,000 for failing to implement adequate security measures to protect personal data in its possession that affected over 4,000 members in October 2014.

For a similar breach that affected more than 900 customers in September 2014, health supplements supplier Fei Fah Medical Manufacturing was imposed a penalty of S$5,000.

Warnings were issued to Challenger Technologies, its IT vendor Xirlynx Innovations, consumer home show organiser Full House Communications, Metro, Singapore Computer Society and Yes Tuition Agency for lapses in handling personal data.

Universal Travel Corporation (UTC), a tour agency, has been "issued directions" by the PDPC to enhance its personal data protection policies after a wrongful disclosure of 37 customers' personal data to four individuals.

The directions include having UTC inform individuals who had received the passenger list to not disclose the list to other third parties, and send their employees for training on PDPA obligations.

The PDPC said on Thursday it considered the severity of non-compliance of the cases to determine the type of enforcement action taken. The factors include whether the organisation had taken reasonable measures to prevent the data breach, the number of individuals affected or may be affected, and the manner in which the organisation responded to the breach.

Since the PDPA came into force in July 2014, the PDPC has received 667 complaints, of which 34 per cent were resolved through investigations and facilitation between the respective organisations and individuals, and 58 per cent were closed.