Award Banner
Award Banner

Case accepts judgment and $20k fine for PDPA breaches, says it's 'committed to safeguarding consumer's data'

Case accepts judgment and $20k fine for PDPA breaches, says it's 'committed to safeguarding consumer's data'
Case was fined for failing to put in place reasonable security arrangements to protect the personal data in its possession or under its control.
PHOTO: The Straits Times file

SINGAPORE — The Consumers Association of Singapore (Case) has accepted the judgment and $20,000 fine issued by the Personal Data Protection Commission (PDPC) against it for two data breaches that happened in 2022 and 2023.

Under the Personal Data Protection Act (PDPA) provisions, any organisation or individual aggrieved by a decision or direction from the Personal Data Protection Commission (PDPC) may appeal against it within 28 days of issuance.

On Aug 28, PDPC had published its decision on the consumer watchdog's breaches under PDPA.

In response to queries, Case said on Aug 30 that following the two incidents that occurred in October 2022 and June 2023, it promptly alerted affected consumers and reported the matter to the police and the PDPC.

It said it had also promptly engaged the services of an IT forensic investigation firm and implemented various measures to strengthen its policies and systems against unauthorised access.

Up to 22,542 e-mail addresses were possibly compromised in the first incident, and consumer data of 12,218 individuals in the second.

In addition to the possibly compromised personal data, resulting phishing e-mails had led to three individuals losing a total of $217,900.

"Case is committed to safeguarding consumer's data and has complied with PDPC's directives to update our personal data protection policies and to rectify security gaps," said Dexter Tay, executive director of the consumer watchdog.

"We will continually review our systems and practices to prevent a recurrence of such incidents."

PDPC's investigations into Case's data breaches showed that it had failed to put in place reasonable security arrangements to protect the personal data in its possession or under its control.

It had also failed to develop and implement policies and practices that are necessary to meet its obligations under the PDPA.

[[nid:683117]]

This article was first published in The Straits Times. Permission required for reproduction.

This website is best viewed using the latest versions of web browsers.