COOPERATED DURING INVESTIGATIONS
The PDPC found that OrangeTee & Tie breached its protection obligation under the Personal Data and Protection Act in two ways.
It had used “live” production data, including personal data, for development and testing purposes without sufficiently robust processes in the form of a security assessment.
Without such an assessment, OrangeTee & Tie could not make an informed decision on whether its security arrangements to protect the personal data were reasonable, or needed to be improved.
A safer practice would be to use anonymised data for testing purposes, said the PDPC.
OrangeTee & Tie had also failed to conduct reasonable periodic security reviews, which should be a basic practice to identify and correct any vulnerabilities, the PDPC added.
OrangeTee & Tie subsequently admitted that it had not considered the need for such reviews in its IT security policy.
In deciding what financial penalty to impose, the PDPC considered mitigating factors such as the company taking prompt remedial actions.
It immediately shut down and isolated the affected servers from the rest of the IT network and updated its servers with the latest security patches.
It also notified those affected, cooperated during investigations and voluntarily admitted to breaching its protection obligation, said the PDPC.
The PDPC added that while names and property transaction amounts were exfiltrated, it did not consider these categories to be highly sensitive since it was already in the public domain to a certain extent.
For example, a member of the public can look up names through a land titles search on the Singapore Land Authority’s website.
In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.