The Personal Data Protection Commission (PDPC) of Singapore has fined its computer vendor Option Gift $4,000 for disclosing the personal information of 426 NSmen (National Servicemen) last year. The commission recently stated that it discovered in an investigation that Option Gift violated section 24 of the Personal Data Protection Act by exposing the sensitive information.
The compromised data included sensitive information like log-in identifications, e-mail addresses, delivery addresses, and mobile phone numbers of the NSmen from the Singapore Armed Forces (SAF) and Home Team.
The issue occurred due to a technical issue in Uniquerewards, online portal maintained by Option Gift, which allows NSmen to redeem credits for service-linked rewards from the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA).
The personal information of the NSmen was leaked when e-mails that are meant to be sent out individually ended up sending it to all the NSmen due to an error in the program script. The PDPC stated that Option Gift had failed to conduct enough testing before deploying the program script.
“As the administrator of the portal, the organization had full possession and control over the personal data that the portal collects, uses, discloses and processes at all material times,” PDPC said in its report. Accordingly, the organization had full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it.”
Option Gift emailed the affected NSmen to apologize after the incident was discovered and urged them to delete all the emails which are not intended for them.
In order to boost cybersecurity and tackle next-generation cyber threats, the Personal Data Protection Commission of Singapore recently updated the guidelines on data breach notification and accountability. The new guidelines are intended to help companies manage data breaches more effectively.
As per the new procedures, which are expected to be included in the upcoming data protection act, the companies in Singapore should not take more than 30 days to complete an investigation into a suspected data breach. The companies are also required to notify the authorities about the incident before 72 hours after discovering a data breach. The PDPC stated the businesses are required to notify authorities if a breach affects more than 500 individuals. The data intermediaries also need to report potential data breaches to their parent organization within 24 hours after identifying a security incident.
In addition, the PDPC also introduced three initiatives to support innovation and strengthen accountability among organizations – Establishing public consultation to seek opinions on proposed data portability and data innovation provisions, Introducing a new guide on Active Enforcement to drive for organizations shift from compliance to accountability, and an updated guide to managing data breaches.
