Firms fined for data lapses in Singapore

The heaviest fine, S$35,000 (US$26,375, €21,750), was levied on private healthcare training provider HMI Institute of Health Sciences for failing to have reasonable security arrangements to protect personal data stored in its server.

The information was subjected to a ransomware attack December 2019 which affected personal data of 110,080 courses participants and 253 employees between 2014 and 2019.

A cyber security expert’s investigation found no evidence of any exfiltration of that data and the institute retrieved all of it as most of the affected files were back-ups, the PDPC said.

Also, the institute decommissioned the server, without paying the ransom, and took measures to avoid a repeat incident.

Web design company Webcada was fined S$25,000 for breaching the Personal Data Protection Act by failing to put in place reasonable measures to protect personal data and for having no written policies and practices to ensure compliance with law.

A ransomware attack on the company last September impacted the personal data of 522,722 people. Investigations showed no evidence of data leaks and all of the affected information was restored from back-ups.

ST Logistics, which provides logistical services to Singapore’s government and military, was fined S$8,000 for failing to prevent unauthorised access to personal data of 2,400 ministry of defence and Singapore Armed Forces’ personnel following a phishing attack in October 2019. Potentially 4,000 individuals were affected, the data protection authority said.

The Singaporean branch of India-based information technology and services company Larsen & Toubro Infotech (LTI) was fined S$7,000 for failing to prevent unauthorised disclosure of job applicants’ personal data and disclosing it without their consent.

The breaches of the Personal Data Protection Act stemmed from an LTI employee emailing a job applicant sample forms which contained the personal data of a past job applicant, and another employee copying in 54 job applicants’ names and email addresses in the ‘To’ field to all 54 in an email reminder to complete their application process.