Singapore — The Personal Data Protection Commission (PDPC) has fined Option Gift $4,000 for a breach of the personal information of 427 national servicemen because of a technical error last June.
The country’s privacy watchdog announced on June 6, Thursday that it discovered in an investigation that Option Gift had breached section 24 of the Personal Data Protection Act. This mandates organisations to protect personal data they’ve collected by security measures that prevent “unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks”.
The compromised data of the 427 national servicemen from the Singapore Armed Forces (SAF) and Home Team were their log-in identifications, e-mail addresses, delivery addresses, and mobile phone numbers.
These men had used the Uniquerewards online portal maintained by Option Gift, which allows NSmen to redeem credits for service-linked rewards. The rewards are handed out by the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA) in celebration of a milestone event, such as a child’s birth, or in honour of a serviceman’s exemplary performance during in-camp training or courses.
The personal information of the NSmen was unfortunately breached when e-mails that had meant to be sent out individually ended up in almost all the NSmen’s inboxes due to an error in the programme script used to generate confirmation e-mails for users who had requested redemptions. The script did not function according to plan.
The first NSman who received the confirmation email also ended up receiving the email for the other 426 NSmen who got rewards. The next NSman got his confirmation email along with the confirmation emails for the next 425 recipients, and the pattern continued in this manner.
The PDPC said, “This error resulted in the personal data of up to 426 NSmen being accidentally disclosed.
As the administrator of the portal, the organisation had full possession and control over the personal data that the portal collects, uses, discloses and processes at all material times.
Accordingly, the organisation had full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it.”
The report also said, “In this regard, the Commissioner found that the Organisation had failed to conduct sufficient testing before rolling out the programme script.”
However, the PDPC report added that commissioner Tan Kiat How took into consideration mitigating factors, including the fact that Option Gift told the affected NSmen of the breach on the very day it occurred, and that corrective measures were put in place at once by the company.
The company also voluntarily reported the breach immediately and extended full cooperation during the investigation.
The report said, “The commissioner has not set out any further directions for the organisation given the remediation measures already put in place.”
The company put into place measures that would prevent a recurrence of the data leak, including mandating the approval of Option Gift’s data protection officer before authorised users are allowed to re-send confirmation emails.
Additional improvements have also been done on the back-end system of the programme, as well as a new standard operating procedure that would document the re-sending of confirmation emails.
Moreover, the source codes are now required to be seen by one more person, and an application to detect possible bugs and vulnerabilities has also been established.
By way of apology, the 427 NSmen whose data had been beached received a gift voucher worth S$80 from Option Gift in July.
The maximum fine Option Gift could have been given is S$1 million for its failure to protect the personal data it has collected./ TISG