Singapore’s privacy watchdog has fined four organisations and warned another seven for failing to safeguard their users’ private information, in an unprecedented move that signals a tough stance against errant organisations.
The stiffest fine was for K Box, the karaoke operator that leaked 317,000 customers’ names, contact numbers and addresses after it suffered a cyber attack in September 2014.
It was told to pay a penalty of S$50,000 for not safeguarding customer data adequately, the Personal Data Protection Commission (PDPC) said today.
K Box’s IT vendor, Finantech Holding, wasn’t spared either. It was fined S$10,000 for not updating the systems to the latest and more secure versions.
Perhaps most revealing from the investigations was the password for the administrator account at K Box. It was left as “admin”, making it easy for hackers to access the system.
It is not just the high-profile victims of cyber crime that has now come into the spotlight for poor IT practices that expose end-user data. Familiar names will be embarrassed as well.
The Institution of Engineers Singapore was fined S$10,000 and health supplements supplier Fei Fah Medical Manufacturing was told to cough out S$5,000, both for not having adequate security measures in place.
IT retailer Challenger Technologies and its IT vendor Xirlynx Innovations were given warnings for lapses in the way they handled personal data. The same for Singapore Computer Society, an industry body.
Consumers will welcome the government’s tough stance on such errant organisations, as it steps up efforts to ensure that personal information is not loosely collected, stored or handled.
After all, with more sensitive information coming online with a smart nation, trust is something that has to be built with users and citizens.
For organisations in Singapore, though, the news will be sobering. They not only have to contend with an increased cyber threat today but could now face significant fines and the shame of being named as having failed to protect private information.
They may also say the government is practising double standards. While it gets tough on errant private sector organisations, it itself is exempt from the privacy laws in place today.
For example, SingPass relied on users’ IC numbers as usernames for years and did not require a second-factor authentication until a serious breach in 2014 forced a long-overdue change.
At the same time, upcoming road gantry systems will be used to help government agencies collect information on where a car has travelled to fight terrorism.
Guidelines and a framework have been promised to prevent abuse, but so far, these have not been debated on in public.
