Home News Company fined S$4,000 for personal of 427  

Company fined S$4,000 for personal data breach of 427 NSmen 

The personal information of the NSmen was breached when e-mails that had meant to be sent out individually ended up in almost all the NSmen’s inboxes due to an error in the programme script

Author

Date

Category

- Advertisement -

Singapore — The Personal Data Protection Commission (PDPC) has fined Option Gift $4,000 for a breach of the personal information of 427 national servicemen because of a technical error last June.

The country’s privacy watchdog announced on June 6, Thursday that it discovered in an investigation that Option Gift had breached section 24 of the Personal Data Protection Act. This mandates organisations to protect personal data they’ve collected by security measures that prevent “unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks”.

The compromised data of the 427 national servicemen from the Singapore Armed Forces (SAF) and Home Team were their log-in identifications, e-mail addresses, delivery addresses, and mobile phone numbers.

These men had used the Uniquerewards online portal maintained by Option Gift, which allows to redeem credits for service-linked rewards. The rewards are handed out by the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA) in celebration of a milestone event, such as a child’s birth, or in honour of a serviceman’s exemplary performance during in-camp training or courses.

- Advertisement -

The personal information of the NSmen was unfortunately breached when e-mails that had meant to be sent out individually ended up in almost all the NSmen’s inboxes due to an error in the programme script used to generate confirmation e-mails for users who had requested redemptions. The script did not function according to plan.

The first NSman who received the confirmation email also ended up receiving the email for the other 426 NSmen who got rewards. The next NSman got his confirmation email along with the confirmation emails for the next 425 recipients, and the pattern continued in this manner.

The PDPC said, “This error resulted in the personal data of up to 426 NSmen being accidentally disclosed.

As the administrator of the portal, the organisation had full possession and control over the personal data that the portal collects, uses, discloses and processes at all material times.
Accordingly, the organisation had full responsibility for the security of the portal, any changes to it, as well as the personal data processed by it.”

The report also said, “In this regard, the Commissioner found that the Organisation had failed to conduct sufficient testing before rolling out the programme script.”

However, the PDPC report added that commissioner Tan Kiat How took into consideration mitigating factors, including the fact that Option Gift told the affected NSmen of the breach on the very day it occurred, and that corrective measures were put in place at once by the company.

The company also voluntarily reported the breach immediately and extended full cooperation during the investigation.

The report said, “The commissioner has not set out any further directions for the organisation given the remediation measures already put in place.”

The company put into place measures that would prevent a recurrence of the data leak, including mandating the approval of Option Gift’s data protection officer before authorised users are allowed to re-send confirmation emails.

Additional improvements have also been done on the back-end system of the programme, as well as a new standard operating procedure that would document the re-sending of confirmation emails.

Moreover, the source codes are now required to be seen by one more person, and an application to detect possible bugs and vulnerabilities has also been established.

By way of apology, the 427 NSmen whose data had been beached received a gift voucher worth S$80 from Option Gift in July.

The maximum fine Option Gift could have been given is S$1 million for its failure to protect the personal data it has collected./ TISG

Read related: National service in Singapore, South Korea and Taiwan – which is the most daunting?

 

Please follow and like us:
Tweet
Share
- Advertisement -

Tommy Koh backs out in less than 2 hours of offer to resign over Fernando scandal

Singapore -- It took Tembusu College Rector, Professor Tommy Koh, less than two hours to back out of an offer to resign from the National University of Singapore (NUS) over sexual misconduct allegations against former Tembusu College don Jeremy Fernando. Dr Fernando...

Ex-NUS associate professor: How can anyone survive on less than S$1,300?

Singapore -- Former National University of Singapore (NUS) Associate Professor Ho Ting Fei has asked, in the midst of the discussion on whether there should be a minimum wage in Singapore, how anyone can survive on less than S$1,300 a month. The...

Shock over comment that low-wage workers “only need to worry about food and death”

Singapore -- Workers' Party (WP) member Jeraldine Phneah has called on the online community to be more compassionate to low-wage earners after coming across online comments trivialising the circumstances these workers face amid the national discussion on a minimum wage. The plight...
Please follow and like us:
Tweet
Share
close

Like and follow us

Follow Me
Tweet