What K Box’s personal data breach means for your business

Even though the Personal Data Protection Act (PDPA) was passed in 2012, it was only in April 2016 that the Personal Data Protection Commission (PDPC) began taking punitive measures against non-compliant companies in Singapore.

Singapore takes hardline stance on non-compliant companies

In April 2016, the PDPC fined 4 companies and warned 7 others for mishandling consumer data. The biggest culprit was K Box Singapore (K Box), which was fined $50,000 for mishandling the data of 317,000 of their customers.

Other notable companies, such as Challenger and Metro, were also found to be non-compliant with PDPA regulations.

What exactly did K Box do or fail to do?

K Box failed to put necessary security measures in place to protect customers’ data in its “CMS” (Content Management System) system. For example, the administrative account had a username of “admin” and a weak password of “admin”. This was a breach of the Protection Obligation under section 24 of the PDPA, which states that an organization has to make “reasonable security arrangements” to protect its customer data.

To make matters worse, K Box did not appoint a Data Protection Officer (DPO) for almost 2 years, breaching the Openness Obligation under section 11(3), which states that an organization “shall designate one or more individuals” to comply with the PDPA.

K Box’s privacy policy was deemed to be “not comprehensive”, again breaching the Openness Obligation under section 12(a) which states that organizations shall “develop and implement policies that are required by the organization” to meet its PDPA obligations.

All the various breaches of the PDPA combined allowed a group of hackers known as “The Knowns” to hack into K Box’s CMS. This resulted in sensitive information, such as customers’ NRIC and address, being publicly accessible.

What can business owners do to ensure they comply with the PDPA?

It is critical that business owners are well-equipped to ensure that they comply with PDPA guidelines, and being ignorant is no excuse.

While these measures are not exhaustive, they are highly recommended and fundamental to a company’s compliance with the PDPA.

  1.    Appoint a Data Protection Officer (DPO)

The PDPC encourages all organizations to appoint a DPO to manage consumer data. He/she can be an existing employee and will be in charge of developing a well-rounded data management system for the company, and also communicate this to fellow employees. K Box’s lack of a DPO was a glaring issue pointed out by PDPC.

  1.    Implement a proper data protection process

One of the main reasons for K Box’s failure to comply with PDPA was that they had weak measures in place to protect consumer data. Even its IT vendor, Finantech, did not receive any instructions from K Box to protect the data in its system. Companies can avoid making the same mistake by having a comprehensive data protection process in place.

  1.    Run a detailed inventory of consumer data

Once a DPO has been appointed and data protection measures are in place, businesses should also be aware of the details involving consumer data. Information such as who has access to the data, where the data is distributed etc should be thoroughly recorded and updated.

  1.    Actively be updated of PDPC-recommended industry guidelines

The landscape of consumer data varies greatly amongst different industries, yet adhering to the same PDPA regulations. The PDPC has guidelines for companies in various industries such as real estate, education and healthcare. It is important that companies in different industries actively keep abreast of these guidelines.

  1.    Seek legal advice if necessary

Companies who are still unsure of whether their actions are PDPA-compliant can always seek legal advice. Corporate lawyers with expertise in PDPA Compliance are available, albeit for a fee, to ensure that your company’s operations are in line with the PDPA.

The future of businesses and the PDPA

The fines and warnings set out by the PDPC may have been the first of its kind, but it certainly won’t be the last. In today’s advent of technology and the large amount of consumer data collected by different companies, it is critical to avoid complacency and actively seek to comply with the PDPA.