Karaoke chain fined S$50,000 for breaching data protection law

SINGAPORE — Eleven organisations have been taken to task for breaching the Personal Data Protection Act (PDPA), with one of them, karaoke chain K Box Entertainment Group, fined S$50,000 for not having sufficient security measures to protect the personal data of its 317,000 members. 

The Personal Data Protection Commission (PDPC) said on Thursday (April 21) that since the Act came into effect in July 2014, it had received 667 complaints and had taken enforcement actions against 11 organisations for breaching data protection rules.

Six of the organisations were given warnings, while the five other companies were either told to enhance their personal data protection policies or issued fines of between S$5,000 and S$50,000.

For instance, in the case of K Box Entertainment Group, where the personal data of its members was leaked in Sept 2014 and found on a text-sharing website, the PDPC’s investigations showed that the company did not have a sufficiently robust IT system. As a result, external parties were able to install malware to gain access into its system, among other things.

Another company, IT retailer Challenger Technologies, received a warning after it issued emails, with details such as a member’s name and membership number, intended for a particular member to another one 
instead.

In determining the type of enforcement action to be taken against a certain organisation, the PDPC said it considers factors such as the type of personal data involved, number of individual affected and time taken to remedy the breach. Meanwhile, 872,849 consumers had registered their numbers under the Do Not Call (DNC) registry, which comes under the PDPA, as of March this year.

Minister for Communications and Information Yaacob Ibrahim told Parliament in February that the PDPC had received a total of 9,700 public complaints against 1,500 companies under the DNC provisions, since they came into effect in 2014. Many of the companies were from the property, retail and financial sectors.

The PDPC had issued advisory notices to about 3,000 companies, to guide them on the steps they needed to take to comply with the regulations.

The commission also received 26,500 complaints relating to messages on illegal activities, such as unlicensed money lending and illegal gambling. These complaints have been referred to the police.

Security experts told TODAY that there is a need for organisations to improve their data protection measures, and for consumers to also play a part in safeguarding their personal information.

Mr Anthony Lim, director of Cloud Security Alliance in Singapore, noted that today’s technology allows merchants to tap third parties, which are based overseas, to send messages or call using the Internet, which greatly lowers their costs. 

He said there is a need for collaborations among governments to allow for the call or text origins to be traced to the local retailer.

Consumers must also be careful with giving out their data, which could be done unknowingly through supermarket lucky draws, for instance, Mr Lim added.

Ms Shirley Wong, co-chairman of Cyber Security Awareness Alliance, said there are technological tools that companies can use to safeguard against loss of information, including data encryption or installing software to monitor how staff handle clients’ personal data.