10 most notable data breach cases in 2021

The year is about to end, and there’s a lot for us to look back and set as a reminder for us not to do again. As the PDPC strictly monitors data breaches and related endeavors, organizations must make sure that they are kept abreast with the recent decisions and undertaking of the PDPC as these form part of the laws and regulations set in the PDPA.

Before we proceed with a new leaf as 2022 comes along, let’s look back at the 10 most notable data breach cases in 2021 based on the severity of the financial penalty imposed by the PDPC and the number of personal data affected by it.

Also Read: PDPA compliance for real estate agencies

10 most notable data breach cases in 2021

1) Breach of the Protection Obligation by Commeasure

In this case, Commeasure was made to pay a whopping S$74,000 for failing to put in place reasonable security arrangements to prevent the unauthorized access and exfiltration of customers’ personal data hosted in a cloud database. This accident affected 6 million customer records. This is the biggest data breach incident in the history of the PDPA.

(2) Breach of the Protection, Accountability, and Retention Limitation Obligations by Stylez

A financial penalty of S$37,500 was made to pay to Stylez for failing to put in place reasonable security arrangements to protect the personal data of its customers and cease retaining data when the purpose of collection no longer exists. As a result, the personal data of its customers was publicly exposed. A direction was also issued to Stylez to develop and implement internal data protection policies and practices to comply with the PDPA. This is the 2nd highest financial penalty this year, plus Stylez contravened several provisions in the PDPA: Protection, Accountability, and Retention Limitation Obligations

(3) Breach of the Protection Obligation by HMI Institute of Health Sciences

This is the 3rd highest penalty by the PDPC for this year. In this case, a financial penalty of S$35,000 was made to pay to HMI Institute of Health Sciences for failing to put in place reasonable security arrangements to protect personal data stored in its server. This resulted in the data being subjected to a ransomware attack. HMI Institute of Health Sciences is a training institute in the healthcare industry. This case highlights the fact that training institutions must also adhere to the PDPA provisions.

(4) Breach of the Protection and Accountability Obligation by Jigyasa

In this case, directions and a financial penalty of $30,000 were awarded to Jigyasa for many contraventions. First, it failed to put in place reasonable measures to protect employee assessments reports on its website. Second, it did not appoint a DPO. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. This is the 4th highest penalty by the PDPC for this year.

(5) Breach of the Protection Obligation by Tripartite Alliance

A financial penalty of S$29,000 was awarded to Tripartite Alliance for failing to put in place reasonable security arrangements to prevent the unauthorized access of approximately 20,000 individuals’ and companies’ data stored in its customer relationship system database. This is the 5th highest financial penalty this year, and it affected a staggering 20,000 individuals’ and companies’ data.

(6) Breach of the Protection and Accountability Obligation by Webcada

A financial penalty of S$25,000 was awarded to Webcada for breaches of the PDPA. First, the organization failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA. This is the 6th highest financial penalty this year.

(7) Breach of the Protection Obligation by SAP Asia

For the 7th notable data breach case in 2021, a financial penalty of S$13,500 was awarded to SAP Asia for failing to put in place reasonable security arrangements to protect the personal data of its former employees. This resulted in an unauthorized disclosure of the personal data of unintended recipients. This breach was due to an employee’s carelessness, giving us an idea that regardless of whether it was due to negligence by an employee, the organization is still liable if there’s a breach of data. 

(8) Breach of the Protection Obligation by ChampionTutor

In this case, a financial penalty of S$10,000 was awarded to ChampionTutor, a tuition agency, for failing to put in place reasonable security arrangements to protect personal data in its possession. The incident resulted in the personal data being exposed. This is the 8th highest financial penalty this year, and this is the organization’s second data breach in a span of 2 years only.

(9) Breach of the Protection Obligation by the Future of Cooking

This case involves Future of Cooking and was made to pay a financial penalty of S$9,000 for failing to put in place reasonable security arrangements to prevent unauthorized disclosure of its customers’ personal data on its website. This is the 9th highest financial penalty this year, plus an example of how a lapse in proper security arrangements can lead to a data breach.

(10) No Breach of the Protection Obligation by Giordano

Lastly, this case is notable because it serves as a landmark case of how an organization can be spared from financial penalty even after contravention of the PDPA. Giordano was found not in breach of the PDPA in relation to an unauthorized network entry and ransomware infection that affected two of its systems storing personal data.

Also Read: PDPA Compliance for the Telecommunication Sector