HSA vendor that exposed blood donors' personal data fined S$120,000

THE vendor for the Health Sciences Authority which accidentally put online the personal information of about 800,000 blood donors has been fined S$120,000.

Forensic investigations showed that the number of records - including personal details such as identity card and mobile phone numbers - that had been leaked was between 236,023 to 328,546, according to a decision by the Personal Data Protection Commission (PDPC) published on Tuesday.

Secur Solutions Group, in helping the authority to develop, maintain and enhance the queue-management system for blood donors, stored the files containing copies of the database in a storage server that was designated for the purposes of testing and development.

However, it did not secure the server, which was accessible through the Internet, because the server was not intended to be used to store personal data or other confidential information.

Secur also did not actively patch or update the server's system, and the router to which the server was connected did not have a perimeter firewall setup.

A cyber security specialist discovered last March that he could access the personal data in the database through that Secur server. The company cut off access to the server soon after, and took other remedial actions.

It notified the PDPC about its transgression.

Secur had requested that it pay the S$120,000 in instalments on the grounds that paying it all at one go would compromise its cash flow. It also said that it had taken professional advice on and invested in data protection and cyber security measures.

The commission declined the request to pay the penalty in instalments because the company had failed to show documentary proof that making the payment in a lump sum would cause it financial strain.

Singapore passed the amended data-protection law early this month, giving the PDPC the power to impose harsher fines and to hold organisations accountable. A company that infringes the Personal Data Protection Act can be fined up to 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

The current cap for financial penalties is S$1 million.