Number of firms that break Singapore’s personal data protection law balloons

The number of organisations breaching Singapore’s Personal Data Protection Act (PDPA) has reached record levels and have already surpassed the total number of enforcement cases in 2018, according to the Data Protection Excellence (DPEX) Centre.

The autonomous research and education arm of Straits Interactive finds that as of the end of August 2019, there were 26 organisations who were either fined or warned in enforcement cases as compared to 23 organisations recorded in the full year of 2018.

A total of Singapore $1.28 million in fines have been issued to date this year, the majority of which came from fines imposed because of the SingHealth-IHIS data breach. From 2016 to 2018, finds totalled at only S$339,000.

Kevin Shepherdson, head of DPEX Centre and CEO of Straits Interactive said that about 80% of all valid cases were due to the breach of the protection obligation where personal data was compromised and was leaked, mostly due to the organisation’s employee error or negligence instead of malicious activity. Only 15% of such enforcement cases were due to a cyber- attack. 

The top 10 common causes of PDPA breaches are untrained staff; no data protection policies; inadequate security controls; lack of appropriate SOPs; weak passwords; poor system/software design; sending to wrong recipients; failure to verify the accuracy of processed data; system security not audited regularly; and error in processing/printing.

The top 5 sectors involved are financial (14%); retail; volunteer welfare organisations (10%); professional service (9%); and food and beverage (9%).

Dan Mountstephen, regional VP at Centrify, said their research reveals that 74% of data breaches involve privileged access abuse. 

“Cyber-attackers no longer ‘hack’ in, they log in using weak, default, stolen, or otherwise compromised credentials and then seek out privileged access to critical systems and sensitive, profitable data,” Mountstephen said.

He said that while some may be encouraged to see fines being imposed on organisations that are not placing a higher importance on customer privacy and data security, more attention should be devoted to placing stricter access controls in place to keep bad actors out.

Adopting basic privileged access management strategies and a Zero Trust approach to cybersecurity, which assumes no one is to be trusted until their identity is proven, can significantly harden the cybersecurity posture of any organisation and reduce their risk of being breached, and fined,” he added.