K Box, Challenger, Metro among 11 companies fined or warned for breaching personal data act

SINGAPORE - Local karaoke chain K Box and shopping departmental store Metro are among 11 companies that have been flagged for lapses under the Personal Data Protection Act (PDPA).

K Box was ordered by the Personal Data Protection Commission (PDPC) to pay a fine of $50,000, while its IT vendor Finantech was fined $10,000.

On Sept 16, 2014, over 317,000 K Box Singapore clients were leaked.

PDPC noted in a press release today (April 21) that 90,000 members' personal data were sent in an unencrypted email between K Box and its IT vendor, Finantech.

Besides not having a Data Protection Officer, K Box felt that its data protection measures were adequate due to "the nature of the K Box's business (i.e. value for money, family-orientated, karaoke entertainment for everyone) and the fact that the data are non-financial in nature".

The karaoke chain later conceded to PDPC that its privacy policy before Sept 16, 2014 was not comprehensive.

PDPC also highlighted the relationship between K Box and Finantech: "What the parties referred to as 'contracts' were actually quotations sent by Finantech to K Box for their confirmation and acceptance."

The Institution of Engineers Singapore was fined $10,000, while health supplements supplier Fei Fah Medical Manufacturing was fined $5,000. Their lapses affected 4,000 and 900 accounts respectively.

PDPC also addressed the leak of Metro customers' personal data which occurred on Feb 9 and 10, 2014.

An audit by KPMG Singapore revealed 30 vulnerabilities in Metro's IT system before the hacking of its corporate website, PDPC said in its findings, and issued a warning to Metro.

Similar warnings were issued to IT retail chain Challenger Technologies, its IT vendor Xirlynx Innovations, consumer home show organiser Full House Communications, Singapore Computer Society, and YesTuition Agency.

Travel agency Universal Travel was also directed by PDPC to upgrade its personal data protection policies, after the unauthorised disclosure of 37 customers' personal data to four individuals.

A complaint lodged against Chinese electronics giant Xiaomi for disclosing personal data to third-party marketers was found to be unsubstantiated, PDPC said.

Xiaomi also provided an undertaking to PDPC to improve its compliance of personal data.

To date, PDPC has received 667 complaints since the PDPA came into full effect in July 2014. 92 per cent of the complaints were resolved amicably, PDPC said.

"The enforcement actions taken are not to deter the use of personal data for business competitiveness. We recognise that data is essential for innovation in today's economy. The key is to use it responsibly and take appropriate actions to protect it," said Mr Leong Keng Thai, Chairman, PDPC.

"Both the organisation and its data intermediary, such as IT vendors that provide systems and data management solutions to businesses, are expected to exercise due care and implement adequate security measures."