Singapore’s Personal Data Protection Commission (PDPC) has imposed penalties on four companies for data protection breaches. More than 630,000 people were affected, including military personnel.

The heaviest fine, S$35,000 (US$26,375, €21,750), was levied on private healthcare training provider HMI Institute of Health Sciences for failing to have reasonable security arrangements to protect personal data stored in its server.

The information was subjected to a ransomware attack December 2019 which affected personal data of 110,080 courses participants and 253 employees between 2014 and 2019.

A cyber security expert’s investigation found no evidence of any exfiltration of that data and the institute retrieved all of it as most of the affected files were back-ups, the PDPC said.

Also, the institute decommissioned the server, without paying the ransom, and took measures to avoid a repeat incident.

Web design company Webcada was fined S$25,000 for breaching the Personal Data Protection Act by failing to put in place reasonable measures to protect personal data and for having no written policies and practices to ensure compliance with law.

A ransomware attack on the company last September impacted the personal data of 522,722 people. Investigations showed no evidence of data leaks and all of the affected information was restored from back-ups.

ST Logistics, which provides logistical services to Singapore’s government and military, was fined S$8,000 for failing to prevent unauthorised access to personal data of 2,400 ministry of defence and Singapore Armed Forces’ personnel following a phishing attack in October 2019. Potentially 4,000 individuals were affected, the data protection authority said.

The Singaporean branch of India-based information technology and services company Larsen & Toubro Infotech (LTI) was fined S$7,000 for failing to prevent unauthorised disclosure of job applicants’ personal data and disclosing it without their consent.

The breaches of the Personal Data Protection Act stemmed from an LTI employee emailing a job applicant sample forms which contained the personal data of a past job applicant, and another employee copying in 54 job applicants’ names and email addresses in the ‘To’ field to all 54 in an email reminder to complete their application process.

PrivSec Global

Make sure to register to PrivSec Global now and tune into “Data Breaches: It Does Happen to Every Company, It Does Happen All The Time, and It Is a Big Deal.”

23 June at 3pm BST | 4pm CEST | 9pm HK

Speakers include:

  • Carter Schoenberg, VP Cybersecurity and Chief Cybersecurity Officer, SoundWay Consulting Inc
  • Jennifer Beckage, Founder, Esq., CIPP/US, CIPP/E, Beckage
  • Victoria van Roosmalen, CISO/DPO, Coosto
  • Rebecca Perry, CIPP US/G, Director of Strategic Partnerships, Exterro