K BOX ENTERTAINMENT GROUP
The karaoke chain received the heaviest fine of $50,000 and was directed to appoint a data protection officer, a must-have under the law. The enforcement was for a data breach involving 317,000 customers, resulting in their names, contact numbers and home addresses being posted on file-sharing website pastebin.com in September 2014.
Lax security measures caused the breach. For instance, access to its computers was protected by weak passwords comprising only one letter of the alphabet.
K Box’s IT vendor was fined $10,000 for failing to update K Box’s systems with the latest, most secure software and for lax security procedures. For instance, the system administrator’s account password was simply “admin”.
INSTITUTION OF ENGINEERS SINGAPORE
The Institution of Engineers Singapore was fined $10,000 for failing to put in place adequate security measures, resulting in the wrongful disclosure of the names, and e-mail and residential addresses of 4,000 members on pastebin.com.
FEI FAH MEDICAL MANUFACTURING
The health supplements supplier was fined $5,000 for failing to secure its online databases, resulting in the wrongful disclosure of the usernames, passwords, contact numbers and e-mail addresses of more than 900 customers on pastebin.com.
UNIVERSAL TRAVEL CORPORATION
The tour agency was directed to strengthen its data protection policy and send staff to be educated on the requirements of the law, although the tour agency was not fined. Its staff had shared the names, nationalities, dates of birth and passport numbers of 37 customers with four individuals within this tour group.
The IT retail chain was warned for not checking that its IT vendor had sent e-mail updates about the membership details of 165,000 people to the right recipients, resulting in the wrongful disclosure of members’ names and points.
Challenger’s IT vendor Xirlynx Innovations was warned for not having the proper checks in place for e-mail communications.
FULL HOUSE COMMUNICATIONS
The home exhibition organiser was warned for not ensuring that its computer system for registering individuals in a lucky draw properly secured the names and details of people who had entered their information.
Metro megastore was warned for not securing its website and content management system properly, leading to a data leak involving 445 customers.
SINGAPORE COMPUTER SOCIETY
The society was warned for mistakenly sending a document containing the names, identity card numbers and business contact numbers of 214 individuals to these 214 individuals without proper checks.
Yestuition Agency was warned for mistakenly publishing on its website the identity card numbers of 30 tutors, without their consent.