SINGAPORE – Several companies have been fined a total of $75,000 for breaches and lapses that have affected the personal data of more than 600,000 people, including their names and contact numbers, and, in some cases, financial information.
This included the data of 98,000 Ministry of Defence staff and Singapore Armed Forces servicemen for a breach in 2019 due to a well-known vulnerability that was knowingly left open for more than four years by healthcare training provider HMI Institute of Health Sciences.
HMI was fined the largest amount, $35,000, for the incident, according to a judgment issued by the Personal Data Protection Commission (PDPC) last Thursday (June 10).
The incident affected the data of more than 110,000 people in total, including 250 HMI employees.
Some HMI staff had their salary details, Central Provident Fund information and bank account numbers affected.
Hackers had used ransomware to lock up the data unless money was paid to them.
PDPC also uncovered other data protection lapses, including the use of a single, simple password shared among several people between HMI and its information technology solution service provider.
Besides HMI, PDPC also fined three other companies recently.
Web design and e-commerce solutions firm Webcada was fined $25,000 for a ransomware attack last year affecting the personal data of 520,000 people, including their order histories.
The ransomware had been uploaded to the company’s database servers through tools used for remotely monitoring and managing servers.
There was no evidence of data being stolen and the affected data was restored from backups.
ST Logistics, which provides logistical services to the Government as well as the defence and commercial sectors, was fined $8,000 for a 2019 incident in which the personal data of 2,400 Mindef and SAF staff could have been accessed by hackers.
It happened after some of the organisation’s laptops were infected with malware from e-mails sent to the the company.
Finally, technology consulting and digital solutions company Larsen and Toubro Infotech’s Singapore branch was fined $7,000 after the data from 13 past job applicants’ forms was disclosed by 10 company employees to 74 other job applicants through e-mails from 2016 to 2020.
The data included salary information, past employment history, medical health status and any criminal records.