Singtel, SPH Magazines and others fined S$66,000 for data protection breaches

TELCO Singtel has been fined S$9,000 for yet another data breach involving its My Singtel mobile app, as the number of breaches hit a record high last year and the total amount of penalties levied amounted to over S$2 million.

Singtel, SPH Magazines and Royal Caribbean Cruises (Asia) were among the latest seven organisations which have flouted the Personal Data Protection Act (PDPA), and been fined S$66,000 in total, according to decisions published by the Personal Data Protection Commission (PDPC) on Feb 11.

This latest crop of organisations adds to the steadily increasing number of those that had been warned, directed or fined by the watchdog over the last four years - three in 2016, 12 in 2017, 28 in 2018 and 50 last year, according to the figures provided by the PDPC.

Calculations done by The Business Times based on decisions published since April 2016 on the PDPC website showed that the amount of penalties imposed totalled S$2.12 million over this period.

Penalties of S$1 million collectively were handed out last January to Singapore Health Services (SingHealth) and Integrated Health Information Systems (IHiS) for the worst breach of personal data in Singapore's history. IHiS is the central national IT agency for the public healthcare sector in Singapore.

In the latest cases, Mainboard-listed Singtel encountered a technical issue during its migration to a new billing system in early 2018, resulting in the personal data of 750 mobile subscribers being exposed to the risk of access by other subscribers. Of these, 39 subscribers' personal data were in fact accessed by other subscribers over a period of about 11 hours.

The PDPC, having considered the firm's prompt action to mitigate the impact by implementing a temporary fix and the migration of system had been completed and would not pose further risks, imposed a S$9,000 penalty on Singtel.

A wholly-owned unit of listed media and property group Singapore Press Holdings, SPH Magazines, was fined S$26,000.

SPH Magazines operates, hosts and maintains HardwareZone forum site, an online Internet portal for members to engage in discussions. A hacker had hacked into the system in 2017 and accessed a senior moderator's account, which the intruder then used to retrieve the user profiles of members.

Then, the system had a total of 685,393 user profiles. Investigations showed that the senior moderator's account was used to perform 704,764 attempted views of members' user profiles using networks that did not reveal the actual source IP (Internet Protocol) address, between Sept 22 and Sept 30, 2017.

The moderator's password had not not changed in 10 years and did not meet the length and complexity standard SPH Magazines implemented for its employees. Also, the account had been accessed as early as December 2015 and this was only discovered when this incident came to the knowledge of SPH Magazines.

Royal Caribbean Cruises notified the PDPC last year that its vendor's system had been subject to a ransomware attack, resulting in sensitive personal data of about 6,000 of its customers being accessed. The cyber attacker had tapped the database in the receipt system, leaving a ransom message demanding payment of 0.08 bitcoin for the deleted data.

The operator saw 25 of its employees' personal data also compromised.

While the system vendor was engaged to develop the receipt system, the PDPC noted that the vendor had not processed nor was it engaged to process the personal data of the employees and customers. Therefore, the cruise company was solely responsible for the protection of the data. The cruise company was therefore fined S$16,000.

The wholly-owned unit of the Singapore Contractors Association, SCAL Academy, had not taken reasonable security steps to protect the personal data of 3,628 individuals who attended its programmes, including their name, race, nationality, date of birth, gender, country of birth, identity card number, address and their company name.

These individuals' scanned registration documents were publicly accessible when an online search was done in late 2018.

SCAL Academy was slapped with a S$15,000 penalty.

Also, the PDPC had sent NTUC Income and AXA Insurance a warning each for their respective breaches.

NTUC Income's coding errors made the insurer inadvertently disclose 17 individuals' personal data to 123 users making enquiries through its website last year.

The other insurer AXA sent an email to an individual last year with a scanned document containing personal data of 87 other policyholders, when that document was actually meant for internal record.

Lastly, the PDPC imposed directions on Henry Park Primary School Parents' Association, for failing to have reasonable measures to protect personal data, not appointing a data protection officer and not having written policies and practices to ensure compliance with the data protection law.

The PDPA became effective in phases since January 2013, and organisations in breach could face a penalty of up to S$1 million.