Home News Company fined S$4,000 for personal data breach of 427 NSmen 

Company fined S$4,000 for personal data breach of 427 NSmen 

The personal information of the NSmen was breached when e-mails that had meant to be sent out individually ended up in almost all the NSmen’s inboxes due to an error in the programme script




- Advertisement -

Singapore — The Personal Data Protection Commission (PDPC) has fined Option Gift $4,000 for a breach of the personal information of 427 national servicemen because of a technical error last June.

The country’s privacy watchdog announced on June 6, Thursday that it discovered in an investigation that Option Gift had breached section 24 of the Personal Data Protection Act. This mandates organisations to protect personal data they’ve collected by security measures that prevent “unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks”.

The compromised data of the 427 national servicemen from the Singapore Armed Forces (SAF) and Home Team were their log-in identifications, e-mail addresses, delivery addresses, and mobile phone numbers.

These men had used the Uniquerewards online portal maintained by Option Gift, which allows NSmen to redeem credits for service-linked rewards. The rewards are handed out by the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA) in celebration of a milestone event, such as a child’s birth, or in honour of a serviceman’s exemplary performance during in-camp training or courses.

- Advertisement -

The personal information of the NSmen was unfortunately breached when e-mails that had meant to be sent out individually ended up in almost all the NSmen’s inboxes due to an error in the programme script used to generate confirmation e-mails for users who had requested redemptions. The script did not function according to plan.

The first NSman who received the confirmation email also ended up receiving the email for the other 426 NSmen who got rewards. The next NSman got his confirmation email along with the confirmation emails for the next 425 recipients, and the pattern continued in this manner.

The PDPC said, “This error resulted in the personal data of up to 426 NSmen being accidentally disclosed.

As the administrator of the portal, the organisation had full possession and control over the personal data that the portal collects, uses, discloses and processes at all material times.
Accordingly, the organisation had full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it.”

The report also said, “In this regard, the Commissioner found that the Organisation had failed to conduct sufficient testing before rolling out the programme script.”

However, the PDPC report added that commissioner Tan Kiat How took into consideration mitigating factors, including the fact that Option Gift told the affected NSmen of the breach on the very day it occurred, and that corrective measures were put in place at once by the company.

The company also voluntarily reported the breach immediately and extended full cooperation during the investigation.

The report said, “The commissioner has not set out any further directions for the organisation given the remediation measures already put in place.”

The company put into place measures that would prevent a recurrence of the data leak, including mandating the approval of Option Gift’s data protection officer before authorised users are allowed to re-send confirmation emails.

Additional improvements have also been done on the back-end system of the programme, as well as a new standard operating procedure that would document the re-sending of confirmation emails.

Moreover, the source codes are now required to be seen by one more person, and an application to detect possible bugs and vulnerabilities has also been established.

By way of apology, the 427 NSmen whose data had been beached received a gift voucher worth S$80 from Option Gift in July.

The maximum fine Option Gift could have been given is S$1 million for its failure to protect the personal data it has collected./ TISG

Read related: National service in Singapore, South Korea and Taiwan – which is the most daunting?


Send in your scoop to news@theindependent.sg 

- Advertisement -

Josephine Teo: From May 1, Dependant’s Pass holders will need work pass for employment

Singapore — Manpower Minister Josephine Teo announced on Wednesday (March 3) tighter new rules for foreigners on Dependant’s Passes (DP) who want to work in Singapore. From May 1 of this year, they will need to obtain their own work passes, such...

😊 – Rest of the word = Smiley and happy: 😊 – Singapore= Symbol of anarchy

  I just saw a news clip in the Today newspaper, which said that Mr Louise Ng, the Member of Parliament (MP) for Nee Soon Group Representation Constituency (GRC), was being investigated by the police for holding up a “smiley face”, encouraging...

Actor seen on Mediacorp’s Vasantham accused by budding artiste of wanting to sleep with him after “private show”

Update as of Mar 4:   In response to TISG’s queries, Selva said: “There have been troubling allegations surfacing recently. I simply wish to say, I did not send any inappropriate message via Facebook. I believe my account was hacked before this incident, which...

Send in your scoop to news@theindependent.sg