Genki Sushi and 4 other firms fined total $117,000 for personal data breach

SINGAPORE — Five companies were fined a total of $117,000 in the last three weeks for breaching data privacy laws by failing to protect the personal data of their customers and employees.

The biggest fine of $54,000 was given to Singapore-based Horizon Fast Ferry, which provides ferry services between Singapore and Batam.

In an update last Friday (2 August) on its website, the Personal Data Protection Commission (PDPC) said that the company failed to appoint a data protection officer, develop and implement data protection policies and practices, and put in place “reasonable security arrangements” to protect its customers' personal data.

The privacy watchdog also released documents relating to these cases of breach of the Personal Data Protection Act (PDPA).

Japanese restaurant chain Genki Sushi was fined $16,000 for failing to secure the personal data of its current and former employees, which resulted in a ransomware attack.

The Central Depository (CDP) and Toppan Security Printing were fined $24,000 and $18,000, respectively, for unauthorised disclosure of CDP's account holders' personal data.

Tuition agency Championtutor was fined $5,000 for not having a data protection officer as well as any policies or practices in place to comply with the PDPA.

In January, the PDPC imposed the highest ever fine of $750,000 on Integrated Health Information Systems (IHiS) for lapses resulting in the nation’s worst cyberattack in history.

SingHealth was fined $250,000 - the second largest ever financial penalty imposed by the PDPC - for the data breach.

The personal particulars of 1,495,364 patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database during the cyberattack, which occurred between 27 June and 4 July last year.

The five companies were taken to task by the PDPC for the following reasons:

Horizon Fast Ferry

Horizon Fast Ferry operates a website that allows passengers to purchase ferry tickets online, in which they are required to provide personal details in an online form. These include their full name, gender, nationality, date of birth, passport number, and passport expiry date.

They would then be entered into the company’s Counter Check-In System (CCIS), an internal system that is only accessible by authorised counter staff, when passengers check in at the check-in counter.

All personal data were stored and retained on the company’s internal database, even after the last travelling date of the passenger’s itinerary to speed up subsequent check-ins for returning passengers.

The data of returning passengers could be auto-retrieved and populated by the CCIS by entering their passport number.

In May 2017, according to documents, the company engaged an independent contractor on an “informal basis” with no written contract to revamp the website.

The company did not inform or instruct the contractor of its data protection obligations in relation to the personal data in the database, according to documents.

The contractor replicated the auto-retrieval and auto-population feature on the site as part of the website revamp. This meant that whenever a user entered a passport number which matched a returning passenger’s passport number in the database, the system would automatically retrieve and fill the remaining fields in the booking form.

At the time of the investigation, there were 444,000 sets of personal data in the database, of which only 295,151 were unique, as a number of passengers had made bookings under different passport numbers, according to documents.

Genki Sushi

As part of internal operations, Genki Sushi used an off-the-shelf payroll software app “TimeSoft”, which included a web portal and a database, that was hosted on a local server belonging to the company. This server also contained financial data files.

The web portal was used by employees to view their electronic payslips and supervisors at the various restaurants to confirm the attendance of their employees.

The database contained the personal data of the company’s former and current employees.

On 30 August last year, an IT personnel discovered that the server was unresponsive. It was infected by the “Dharma” variant of ransomware that had been installed on the server through its internet link, according to documents.

The personal data of about 360 current and former employees were affected, including their NRIC and passport numbers, contact information and names of relatives.

CDP and Toppan Security Printing

Toppan Security Printing was engaged by the CDP to carry out secure printing and dispatch of documents, including notification letters of CDP’s customers.

In June 2017, the personal data of 1,358 CDP account holders were wrongly printed in the notification letters of other account holders and sent out.

The exposed data included the name and/or CDP securities account number, which constitutes personal data of the individual.

According to documents, additional information on the securities owned by the individual was also disclosed in some notification letters.

Championtutor

A web link to Championtutor’s list of tutors was found via Google search by a former tutor who had registered with them. This list contained the names, contact numbers and email addresses of 4,899 individuals, according to documents.

While the company had a privacy policy to inform tutors and students on how it manages the personal information provided by them via its website, it did not have any internal data protection policies.

This meant that the company’s part-time tuition coordinators, who had access to the personal data, were not provided with any form of guidance regarding the PDPA.

Related stories:

Personal data of over 800,000 blood donors put online by vendor: HSA

HIV data leak: Brochez charged by US Department of Justice

IHiS and SingHealth fined total $1M by PDPC for lapses in Singapore's worst cyberattack