Singapore’s Consumers Association of Singapore (Case) has been fined S$20,000 for breaches of the Personal Data Protection Act (PDPA) following two separate data security incidents.
The Personal Data Protection Commission (PDPC) found Case failed to implement proper security measures to safeguard consumer data and neglected to develop and enforce data protection policies. These lapses resulted in the compromise of personal information for thousands of consumers.
Two Incidents Exposed Consumer Data
The first incident occurred in October 2022 when hackers accessed Case email accounts and sent phishing emails to consumers. These emails appeared legitimate, claiming to be from Case and requesting consumers to click on a link to receive compensation for complaints. Three consumers fell victim to the scam, losing a total of S$217,900.
A second incident came to light in June 2023 when consumers reported receiving targeted phishing emails replicating complaints they had submitted to Case. The PDPC investigation determined this data breach likely occurred during a vendor data migration process in December 2019. This incident exposed the personal information, including names, email addresses, contact details, and complaint details, of 12,218 individuals.
Case’s Security Shortcomings
The PDPC investigation revealed several security lapses by Case:
- Weak password management: Passwords for compromised accounts did not meet minimum complexity requirements and hadn’t been changed for years.
- Negligent vendor management: Contracts with vendors lacked clear data security clauses, putting consumer data at risk.
- Lack of staff training: Case hadn’t conducted data protection training for its staff in five years.
- Insufficient IT security measures: Case lacked proper email security, logging, monitoring, and internal security controls.
Case’s Response and Moving Forward
Case has taken steps to address these security shortcomings, including:
- Implementing multi-factor authentication for applications.
- Installing security software to protect against malware, spam, and phishing attacks.
- Tightening access controls to systems.
- Decommissioning outdated devices and implementing patch management.
- Increasing password complexity requirements and enforcing regular password changes.
- Including data protection clauses in vendor contracts.
- Providing data protection training to new and existing staff.
- Working towards obtaining Cyber Essentials Mark and Data Protection Trust Mark certifications.
The PDPC has directed Case to review and update its data protection policies and rectify all security gaps identified. This incident serves as a stark reminder for organizations handling personal data to prioritize robust cybersecurity measures and staff training to safeguard consumer information.