Singapore slaps penalty on companies that failed to block data breaches

Singapore's privacy laws authorises slapping a penalty of $1 million on organisations that fail to protect consumers' personal data.

Singapore's privacy watchdog has penalised 11 organisations for failing to protect the privacy of customers' personal data.

Karaoke chain K Box Entertainment Group was imposed with the heaviest fine of S$50,000 for failing to protect personal data of members on its platform under the Personal Data Protection Act (PDPA).

Singapore's data protection legislation authorises slapping a penalty of $1 million per breach on organisations that fail to protect consumers' personal data.

The Personal Data Protection Commission (PDPC) also slapped financial penalty on organisations such as the Institution of Engineers and Fei Fah Medical Manufacturing while six organisations including Challenger Technologies, Metro, Xirlynx Innovations, Full House Communications, Singapore Computer Society and Yes Tuition Agency were issued a warning.

The watchdog said K Box failed to protect personal data after user details including contact number, email address, NRIC number and date of birth of as many as 317,000 members were leaked online.

The data breach followed a hacking of the company' database. The PDPC said K Box did not update its security systems and did not employ a data protection officer.

The watchdog also slapped a fine of S$10,000 on IT vendor Finantech Holdings, which took care of K Box's content management system.

"The common issue with the breaches has a lot to do with how they have adopted IT practices that aren't so good," PDPC Chairman Leong Keng Thai said, according to Channel News Asia.

"A lot of this could have been avoided if they think about the fact that they're handling sensitive information, just as they would handle commercially valuable information. If they had been done properly, many of these breaches could have been avoided," he added.

A total of 667 complaints have been raised with PDPC so far, most of which deal with the collection, use and disclosure of individual's data without consent.