30-8-2024 (SINGAPORE) The Consumers Association of Singapore (Case), an organisation tasked with safeguarding consumer interests, has found itself on the receiving end of a substantial fine for failing to protect the very people it aims to serve. The Personal Data Protection Commission (PDPC) has imposed a S$20,000 penalty on Case for multiple breaches of the Personal Data Protection Act (PDPA).
In a judgement released on 28 August, the PDPC outlined two separate incidents that occurred in October 2022 and June 2023, potentially compromising the personal data of tens of thousands of consumers. These breaches have raised serious questions about the watchdog’s ability to secure sensitive information in an increasingly digital age.
The first incident, which came to light in October 2022, involved a threat actor gaining access to Case’s email accounts. This breach resulted in the dispatch of phishing emails to unsuspecting consumers, potentially exposing up to 22,542 email addresses. In a particularly alarming development, three individuals reported financial losses totalling S$217,900 after falling victim to these fraudulent communications.
Just as the dust was settling on this initial breach, a second incident emerged in June 2023. This time, 28 individuals received targeted phishing emails that reproduced complaints they had previously submitted to Case. Further investigation revealed that the personal data of 12,218 individuals may have been compromised during a data migration exercise conducted between December 2019 and January 2020.
The PDPC’s investigation uncovered a litany of shortcomings in Case’s data protection practices. These ranged from insufficient password management policies to inadequate vendor oversight and a lack of regular security awareness training for staff. Perhaps most concerning was the revelation that some of Case’s computers were running on outdated, end-of-life operating systems, leaving them vulnerable to cyber attacks.
In response to these findings, Case has implemented a series of remedial measures. These include the introduction of multi-factor authentication for web-based applications, enhanced password requirements, and mandatory data protection training for all staff members. The organisation is also pursuing the Cyber Essentials Mark and the Data Protection Trust Mark to demonstrate its commitment to improved data security practices.
