The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

By definition, a data breach pertains to any unauthorised access, collection, use, disclosure, copying, modification, or disposal or personal data in an organisation’s possession or under its control. Data breaches must be taken seriously as it often leads to financial losses, not to mention a loss of consumer trust for the organisation.

In Singapore, the Personal Data Protection Commission (PDPC) publishes decisions relating to organisations that are found to have infringed the data protections under the Personal Data Protection Act (PDPA). In making these reports public, the PDPC intends to remind individuals and organisations of their respective rights and obligations under the PDPA.

A Look into the PDPA Data Breach August 2020 List

1. Singapore Accountancy Commission

Nature of breach: protection

Decision: financial Penalty (S$5,000)

What happened: Between 12 June 2019 and 22 October 2019, 41 unintended recipients received via email a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates.

Clearly it was sent by mistake, but that folder contained information such as Standard Chartered Accountant Qualification examination results, employment information, names, NRIC numbers, and other sensitive data.

Lapses: The Organisation admitted to a lack of robust measures to protect personal data when sending emails. That is, the staff involved in the sending of emails were not informed of the Organisation’s personal data policies as part of their induction training. Also, there were no second-tier supervisory checks of technical measures to reduce the risk of sending content with personal data to unintended parties at the time of the incident.

Moving forward: The Organisation undertook remediation such as training sessions on cybersecurity and personal data protection for all employees and revision of policies and procedures of handling of personal data.

2. Zero1 and IP Tribe

Nature of breach: protection

Decision: warning

What happened: Unintended recipients received via email the invoices containing the personal data of their subscribers. Caused by Batch ID duplication, the incident exposed the affected subscribers’ personal name, address, subscriber ID, and other sensitive information.

Lapses: The Migration Scenario, an important part of pre-launch testing, was not catered for. Moreover, the processes to ensure that the New Platform would issue unique Batch IDs were inadequate.

Moving forward: No directions are required as the Organisation and IPT had taken remedial actions to address the gaps in security arrangements respectively.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters

3. Actstitude

Nature of breach: protection

Decision: warning

What happened: Making it to this list of PDPA Data Breach August 2020 is a social media platform marketing agency. The URL directing to the uploaded resumes of the Organisation’s job applicants can be modified and accessed by different individuals. No security measures were put into place to restrict access to the resume files.

Lapses: The Organisation failed to conduct vulnerability scanning as part of their pre-launch testing. Moreover, they did not conduct periodic security reviews.

Moving forward: No directions are required as the Organisation had taken into action to address the gaps in its security arrangements.

4. Jean Yip Salon

Nature of breach: protection

Decision: warning

What happened: An employee system maintained by Jean Yip Salon Pte Ltd was publicly accessible via the internet. As a result, the personal data of 28 individuals was disclosed via the system including names, NRIC numbers, and more.

Lapse: The Organisation did not adopt reasonable measures to protect personal data in its possession and against risk of unauthorised access.

Moving forward: No directions were required as the Organisation had implemented corrective measures that addressed the gaps in its security arrangements.

5. FWD Singapore

Nature of breach: protection

Decision: warning

What happened: This Organisation made it to the list of PDPA data breach August 2020 because of an incident that occurred between 20 June 2019 and 17 July 2019. Incorrect recipients were unintentionally sent the personal data of 71 individuals which were contained in 42 payment advice letters.

Lapse: The Organisation attempted to fix a logic error in the system, but it resulted in the extraction of incorrect mailing addresses for payment advice letters in some circumstances. They should have taken care in conducting its manual code review.

Moving forward: No directions are required as the Organisation took steps to improve its development processes to prevent the recurrence of the incident.

6. CDP

Nature of breach: protection

Decision: financial penalty

What happened: The dividend cheques of some CDP account holders were mailed to outdated addresses, resulting in the disclosure of their personal data to other individuals.

Lapse: The Organisation made an oversight with the incorrect coding of the Dividend Cheque Module, resulting in the inconsistent extraction of a CDP Account Holder’s updated address.

Moving forward: Besides introducing additional measures with regard to its coding of the Module, the Organisation will also be conducting refresher training to ensure that its team report issues under their respective purview as soon as practicable.

7. MDIS Corporation

Nature of breach: protection

Decision: financial penalty (S$10,000)

What happened: A Microsoft Excel spreadhseet containing personal data of individuals who had signed up for courses at the Organisation could be accessed online by doing a Google search of any NRIC number that can be found within the spreadsheet.

Lapses: First, the Organisation failed to communicate any data protection requirements to the vendor or the developer. Second, the Organisation failed to take reasonable steps pre-launch to discover risks to the Disclosed Data that was collected through the Form.

Moving forward: The Organisation must pay a financial penalty.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

8. MCST 3400

Nature of breach: protection

Decision: warning

What happened: The final Organisation that made it to the PDPA data breach August 2020 list mistakenly made accessible a directory containing personal data of its employees. During that period, any member of the public could access this directory.

Lapses: The Organisation was unaware that the directory could be accessed online without the need for any login credentials.

Moving forward: First, organisations should conduct code reviews and pre-launch testing before deploying new IT features or changes to IT systems. Second, organisations should conduct periodic survey reviews of its IT systems.

Not Part of the PDPA Data Breach August 2020 List? Let’s Keep it That Way.

Learn how your organisation can achieve full PDPA compliance. At Privacy Ninja, we aim to help businesses in Singapore and beyond achieve PDPA compliance. Drop us an email and let us know how we can help you achieve the government-mandated PDPA compliance.