Several organisations in Singapore have been fined and issued warnings for breaching the country's Personal Data Protection Act (PDPA), including local IT retail chain Challenger Technologies and Chinese handset maker Xiaomi. The Personal Data Protection Commission (PDPC) said Thursday that it had imposed financial penalties of various amounts to four organisations, which had failed to implement adequate security measures to safeguard the personal data of its customers. K Box Entertainment Group was fined S 50,000 for its failure to put in place adequate data protection policies and security safeguards as well as not having a data protection officer. The local karaoke chain has a membership of 317,000. Its IT vendor, Finantech Holdings, which was responsible for managing its content management system, also was fined S 10,000.
Second-hand video game and gadget retailer Cex has said up to two million of its customers have had their private details stolen. Personal data stolen by hackers include customer names, addresses, email addresses, phone numbers and some credit card information. Cex has urged customers to change their password, especially if they reuse it for other websites. Second-hand video game and gadget retailer Cex has said up to two million of its customers have had their private details stolen.
Singapore Health Services (SingHealth) has been fined S$250,000 while Integrated Health Information Systems (IHIS), the IT agency responsible for Singapore's public healthcare sector, is slapped with a S$750,000 fine, for failing to take adequate security measures to safeguard personal data. The oversight had contributed to the July 2018 cybersecurity attack that compromised personal details of 1.5 million SingHealth patients, and breached their data protection obligations outlined in Singapore's Personal Data Protection Act. SingHealth was held responsible as the owner of the patient database that was infiltrated in the attack that resulted in the worst breach of personal data in Singapore's history, said Personal Data Protection Commission (PDPC), which administers the legislation, in a statement Tuesday. The outpatient medical records of another 160,000 patients were compromised in the incident. Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.
Following a spate of security breaches affecting healthcare patients in the country, another Singapore public sector agency has reported that personal information of 808,201 blood donors was left vulnerable after a third-party vendor failed to securely protect a server containing the data. The database had contained registration-related information such as donors' name and national identification number and, in some instances, blood type and weight. The external contractor, Secur Solutions Group, was provided the data for updating and testing and stored the information in a web-connected server on January 4 this year, according to the Health Sciences Authority (HSA), which was made aware of the security hole on March 13. Data privacy ambiguity may hamper Singapore's smart nation ambition Smart nation plan means massive amounts of data will be collected and analyzed, prompting questions about data privacy and security. With Singapore's public sector excluded from the country's data protection act, how will data management be properly governed?
Australian Privacy Commissioner Timothy Pilgrim and the Privacy Commissioner of Canada Daniel Therrien have released a report on the Ashley Madison data breach over a year since the incident occurred, finding it breached both countries' privacy acts. AshleyMadison.com, a website that urged its users to "have an affair," suffered the data breach in July 2015, in what was one of the most public security breaches to date. Around 37 million people were caught up in the attack that saw the personal data of users, including credit card information, leaked online. Commissioners Pilgrim and Therrien initially opened the joint investigation into the breach in August last year, publishing their findings [PDF] 12 months later. The Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner states the primary issue under investigation was the adequacy of the safeguards in place to protect the personal information of users, finding Ashley Madison breached both the Australian Privacy Act and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).