July 12, 2018

Singapore's Biggest Data Breaches in 2016

Many organisations understand that the private information they hold on their customers is their responsibility and most try to take the necessary precautions to make sure it is adequately protected. Despite their best efforts, cases of data breaches still occur on a regular basis and 2016 was no exception.

In Singapore, the public’s personal data is protected by the Personal Data Protection Act (PDPA) and enforced by the Personal Data Protection Commission (PDPC). Here's what you can learn from the top 5 data breaches in Singapore last year.

1)    United Overseas Bank (UOB)

In June 2016, local news site The Middle Ground discovered a black trash bag behind UOB’s headquarters containing both corporate and personal documents from UOB clients, exposing private details such as NRIC numbers, phone numbers, and even a client’s full address. The discovery eventually led the Monetary Authority of Singapore(MAS) to investigate UOB over their failure to adequately protect their clients’ personal data.

How could this happen? For one, organisations often still focus primarily on cybersecurity as a way to protect private information. Many forget that physical data is equally as important and a secure personal data destruction plan should be implemented to avoid data breaches.

2)    Toh-Shi Printing Singapore

A third party printing company hired by Aviva insurance, Toh-Shi Printing Singapore, caused the personal data of 8,022 individuals to be leaked when Aviva policyholders received inaccurate statements in which their personal data was disclosed. The PDPC fined the company S$25,000 for failing to implement adequate checks in processing personal data. The printing firm then admitted that the breach occurred due to its own staff failing to comply with the company’s security procedures.

Cases like this show that sometimes the threat does not come from an external party or malicious intent, but through the carelessness of employees. Clear and easy to follow processes combined with regular reminders and proper staff training can help to mitigate some of this risk.

3)    KBOX

Popular local karaoke chain KBOX was fined S$50,000 by the PDPC in April 2016 for leaking the names, contact numbers and residential addresses of 317,000 customers as a result of weak passwords and failing to update software. An anonymous individual exploited a computer software flaw and extracted customers’ information from KBOX and uploaded the data on a file sharing website. 

This goes to show the importance of keeping up to date with the latest software patches as well as the importance of regularly reviewing and updating security protocols such as password management. With the right foresight and a little effort, these types of data breaches can be easily avoided with some simple precautions.

4)    PropNex Realty

The PDPC started probing real estate firm, PropNex Realty, in December 2015 after a woman claimed that her name and mobile number were available online in an unsecured PDF document, which exposed the personal information of 1,765 individuals. Although the document was uploaded with the intent of only being available to staff, the system had a huge security flaw. Even though a password was needed to access webpages hosted by the system, the document itself did not need a password, making it freely available. This security gap resulted in a S$10,000 fine from the PDPC.

The lesson here is to have clear publishing rules and procedures in place. The more sensitive the information, the higher level of security is required.

5)    JP Pepperdine Group

The PDPC discovered that the personal data of 30,000 people who joined JP Pepperdine Group’s membership program was accessible by anyone on the company’s website by simply leaving the search field blank and clicking “search” or by entering a randomly simulated membership number on a webpage hosted by its third-party vendor, Ascentis. Exposed data included the names, marital status, NRIC/passport number, date of birth, phone number, email addresses, residential addresses, and other membership account details. The PDPC fined the group $10,000 for failing to adequately protect the data of their members.

This could have been easily avoided if the company had ensured their webpage was inaccessible to the public from the beginning. Once again highlighting the importance of having the proper publishing protocols in place.

Don’t let your company become the victim of a data breach. If you would like to review your information security requirements and potential areas of vulnerability, please contact a Shred-it representative for a FREE Data Security Survey.