Singapore’s PDPC Turns the Tax Invoice into a Tackle
In the past three weeks, the Personal Data Protection Commission (PDPC) handed out a total of $117,000 in fines to five companies that missed the memo on keeping personal data safe. The penalties range from a modest $5,000 to a hefty $54,000—think of it as a “data‑security” post‑pay.
1. Horizon Fast Ferry – $54,000 (Highest in Six Months)
The ferry operator that shuttles passengers between Singapore and Batam was found lacking in three critical areas:
- No Data Protection Officer to steer the ship.
<li No formal data‑protection policies in place.
<li Missing “reasonable security arrangements” to guard customer details.
When PDPC reviewed the case last Friday, the biggest fine—$54,000—was handed down. It’s the tallest penalty in Hong‐kongland (the “last six months”).
2. Genki Sushi – $16,000
Our beloved sushi chain was slapped with a penalty because a compromised server left its employee data open for a ransomware attack last September. The culprit had made only about 360 employee records encrypted, and Genki had to consider paying a ransom. The PDPC found four key mistakes:
-
<li No firewall for the payroll server.
<li Failed firewall configuration even after a recent IT migration.
<li A problematic off‑the‑shelf payroll software that let staff view payslips and supervisors confirm attendance.
<li No safeguard against external threats.
3. Central Depository – $24,000
Due to a printing error, the CDP accidentally included 1,358 account holder data in notification letters sent to other clients. The PDPC fined them for not protecting this data from unauthorized disclosure.
4. Toppan Security Printing – $18,000
Similar to CDP, Toppan printing mishandled account holder information. The fine hit for “reasonable security arrangements” to keep the data from leaking.
5. Championtutor – $5,000
The tuition agency was penalized after the PDPC discovered it had no Data Protection Officer and lacked written policies or procedures to stay compliant with the PDPA.
Why This Matters
These penalties are a warning bell that Singapore’s privacy watchdog is serious about data protection. The last big blowcase was the $1 million fine on SingHealth and Integrated Health Information Systems (IHiS) for the 2018 breach that exposed the personal info of 1.5 million patients, including the Prime Minister.
So, folks—whether you run a ferry, a sushi restaurant, a depository, a printer, or a tutoring service, keep your data safe, or you might soon find yourself a victim of a hefty PDPC fine.
