Singapore – A $20,000 punishment has been imposed on the Consumers Association of Singapore (Case) for violations of the Personal Data Protection Act (PDPA).
The Personal Data Protection Commission (PDPC) announced on August 28 that the consumer watchdog had been penalized for neglecting to implement appropriate security measures to safeguard the personal data that was in its possession or under its jurisdiction.
Additionally, it had neglected to create and put into effect the policies and procedures required to fulfill its PDPA commitments.
Unwanted emails from the address “online-submission@case.org.sg,” which is designed to get in touch with customers who file complaints on the company’s website, were sent to a few of Case’s customers on October 8, 2022.
More of these cases were subsequently reported to PDPC, and a total of 28 people were the recipients of these targeted phishing emails.
Nonetheless, in these instances, Case’s domain was not the source of the email addresses.
According to PDPC’s ruling, “since such data was contained within (Case’s) systems, the unavoidable conclusion is that their personal data had been exfiltrated from (Case’s) systems, at the very least, their e-mail addresses and complaints.”
Although investigations were unable to definitively determine how the second incident’s data breach happened, PDPC came to the conclusion that it most likely happened during a data movement exercise carried out.
Each year, all employees will undergo refresher training on data protection, and training will be provided to new hires as well.
Plans are in place for Case to receive the Data Protection Trust Mark, which identifies businesses that have implemented data protection policies in order to abide by the PDPA’s requirements, and the Cyber Essentials Mark, which helps small and medium-sized businesses have baseline cyber defences to protect their systems and operations from frequent cyberattacks.
