pdpc_decisions_version: 85
This data as json
_id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
85 | 85 | 1 | 1016 | A financial penalty of $4,000 was imposed on Tanah Merah Country Club for failing to put in place reasonable security arrangements to protect the personal data of individuals stored on its electronic direct mail (“EDM”) system. The common password for login to the EDM system was weak and had not been changed since 2010. There were also no arrangements in place to ensure and enforce password strength, expiry and protection. An application for reconsideration was filed against the decision Re Tanah Merah Country Club. Upon review and careful consideration of the application, directions in the decision were varied. | [ "Protection", "Financial Penalty", "Arts, Entertainment and Recreation", "EDM", "Password", "Weak password" ] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Tanah-Merah-Country-Club---21072020.pdf | Protection | Breach of the Protection Obligation by Tanah Merah Country Club | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-tanah-merah-country-club | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4115 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tanah Merah Country Club Editorial note: An application for reconsideration was filed against the decision in Re Tanah Merah Country Club. Pursuant to this application, the Commissioner has decided to reduce the financial penalty imposed on the Organisation from $8,000 to $4,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. SUMMARY OF THE DECISION 1. On 19 June 2019, Tanah Merah Country Club (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) of unauthorised access to its electronic direct mail (“EDM”) system (the “Incident”). During the Incident, which occurred on 9 June 2019, the EDM system was used to send unauthorised spam emails. 2. The Organisation was unable to determine how unauthorised access was gained to the EDM system. During investigations, it was discovered that the common password for login to the EDM system was weak, as it comprised the initials of the Organisation and the year 2010 (which was the year that the EDM system was set up). The password was shared by at least 3 persons: 2 of the Organisation’s marketing staff and its technical support vendor. Further, it had not been changed since 2010. Investigations disclosed that there were no arrangements in place to ensure and enforce password strength, expiry and protection. 3. In the circumstances, although the means of unauthorised access to the EDM system was not determined, the evidence pointed to weak password control as the cause. The Deputy Commissioner for Personal Data Protection therefore found the Organisation in breach of section 24 of the Personal Data Protection Act 2012. 4. The Organisation is directed to pay a financial penalty of $8,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. In view of the remedial measures taken by the Organisation, the Commission will not issue any other directions. 5. The Organisation’s prompt co-operation in the course of the Commission’s investigation and its prompt actions taken to remediate the breach were taken into consideration in determining the quantum of the financial penalty. | Financial Penalty | e641872fa69f2e946b7cb68cb7e884c4c88db9c2 |
Links from other tables
- 10 rows from item_version in pdpc_decisions_changed